cybersecurity · beginner · ~15 min · safe pentest lab
Implement a deny-by-default denylist check that validates untrusted string input (NULL, empty, oversized) before comparing, and understand banned-password lists as a defensive control against credential guessing.
Weak, widely-reused passwords like password or 123456 are the first thing a credential-stuffing attacker tries. A basic defensive control is a banned-password denylist: at signup or password-change time you refuse any password that appears in a known-bad list, forcing users away from trivially guessable secrets.
In this lab you implement that check as a pure function. The asset is the account whose password is being set; the threat is an attacker who guesses common passwords. The insecure assumption to avoid is trusting attacker-controlled input (the candidate password string) blindly: it may be NULL, empty, or arbitrarily long, and your comparison must never read past its bytes.
Implement int is_banned_password(const char *pw) so it returns 1 if and only if pw exactly matches one of the fixed banned passwords below, and 0 otherwise. Deny by default: any input you cannot positively confirm as banned is treated as allowed (0). This operates only on a fixed array baked into the harness — never a live target, network, or filesystem.
Banned list: password, 123456, 12345678, qwerty, abc123, letmein, admin, iloveyou.
NULL input must return 0 (no dereference)."" is not on the list, so 0.Password and password1 are allowed.A single C string pointer pw (may be NULL, empty, or arbitrary length).
An int: 1 if pw exactly matches a banned password, otherwise 0.
C11, no dynamic allocation required. The denylist is fixed and case-sensitive. Do not modify pw. NULL must yield 0. Comparison must be exact (full-string), not prefix or substring.
int is_banned_password(const char *pw){
/* TODO: return 1 if pw exactly matches one of the banned passwords
(password, 123456, 12345678, qwerty, abc123, letmein, admin, iloveyou),
else 0. NULL must return 0 and you must not dereference it.
This stub is intentionally wrong and will fail the tests. */
(void)pw;
return -1;
}
Dereferencing pw before the NULL check; using strncmp with a fixed length so that a prefix like 'password1' wrongly matches 'password'; doing case-insensitive comparison and banning legitimate mixed-case passwords; using strstr and matching substrings; forgetting an entry in the denylist.
NULL pointer -> 0; empty string -> 0; case variations (Password vs password) -> 0; prefixes/superstrings (password1) -> 0; very long strings -> 0 with no buffer overread; exact banned match -> 1.
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.