cybersecurity · intermediate · ~15 min · safe pentest lab

Set-Cookie Security-Attribute Auditor

Parse an attacker-controlled, delimiter-separated header safely and match tokens by exact name (not substring), so a security audit neither under- nor over-reports the protections on a session cookie.

Challenge

Cookie hardening audit

When a server issues a session cookie, the Set-Cookie header carries the security attributes that decide how safe that session is. Secure keeps the cookie off plaintext HTTP, HttpOnly hides it from JavaScript (blunting XSS theft), and SameSite limits cross-site sending (blunting CSRF). A cookie that ships without these is a session-hijacking waiting to happen, so security tooling has to audit the header and report exactly which protections are present.

The asset here is the session cookie; the threat is an auditor that over-reports safety because it was fooled by sloppy parsing. Attackers control the raw header bytes, so a lookalike token such as Secured or SameSiteX=1 must NOT be counted as Secure/SameSite. The insecure assumption to avoid is "if the string contains the word, the flag is set" — a substring search would wrongly credit NotHttpOnly or a cookie value of secure123.

Your job: implement int cookie_flags(const char *set_cookie). Split the value on ;, trim whitespace around each attribute, and match the attribute name (the part before any =) case-insensitively against exactly Secure, HttpOnly, and SameSite. Return a bitmask: bit0 (1) Secure, bit1 (2) HttpOnly, bit2 (4) SameSite. Absent attributes contribute 0.

Operate only on the caller's fixed buffer — never a live target, network, or filesystem. Deny by default: a NULL or empty header yields 0, and only an exact attribute-name match sets a bit.

Example

  • cookie_flags(full) -> 7 (where full = "sid=x; Secure; HttpOnly; SameSite=Strict")
  • cookie_flags(none) -> 0 (where none = "sid=x; Path=/")

Input format

A single argument: const char *set_cookie, a NUL-terminated Set-Cookie header value (attributes separated by ';'), or NULL. Attacker-controlled bytes.

Output format

An int bitmask: bit0 (1) = Secure present, bit1 (2) = HttpOnly present, bit2 (4) = SameSite present. Bits OR together; absent attributes contribute 0.

Constraints

C11, freestanding function (harness supplies includes). Read only within the NUL-terminated buffer; never index by an attacker-controlled length. Matching is case-insensitive on the attribute NAME only (text before '='). NULL or empty input returns 0. No allocation required; must be memory-safe under ASan/UBSan.

Starter code

int cookie_flags(const char *set_cookie){
    /* TODO: parse the Set-Cookie value and return the security-attribute
       bitmask (bit0 Secure, bit1 HttpOnly, bit2 SameSite). Deny by default:
       until implemented, report "no attributes verified". */
    (void)set_cookie;
    return -1;
}

Common mistakes

Using strstr/substring search so 'Secured' or a value 'secure123' falsely trips a flag; matching the whole segment including the '=value' so 'SameSite=Strict' never equals 'SameSite'; forgetting case-insensitivity; not trimming whitespace so ' Secure' misses; dereferencing a NULL header; reading past the terminator when the last segment has no trailing ';'.

Edge cases to handle

NULL pointer; empty string; leading/trailing spaces and tabs around attributes and around '='; mixed case (sEcUrE, SAMESITE); SameSite written with or without a value; near-miss lookalikes that must be rejected (Secured, NotHttpOnly, SameSiteX); the attribute name appearing only inside the cookie value (sid=secure123) which must NOT set a bit.

Background lessons

Solve this exercise in the browser editor — compile and run against the test harness, no setup required.