Firstly this kind of vulnerability requires no white-boarding. It is fair to assume that a dev with a reasonable understanding of how the web protocols work will not need a white board to figure this out. So firstly the argument of catching this on a WB is a little juvenile.

Associating TDD to being haphazard is pretty random. Being hap hazard and TDDing are really in 2 different math spaces. Care not to mix em?