cybersecurity · beginner · ~15 min · safe pentest lab
Recognize the three cookie flags that harden a session (Secure, HttpOnly, SameSite) and implement a deny-by-default audit that parses attacker-influenced header text safely, without buffer over-reads or NULL dereferences.
A session cookie is the key to a logged-in account. If an attacker can read it (over plain HTTP, or via JavaScript in an XSS) or replay it from a malicious cross-site request, they hijack the session. Three Set-Cookie attributes shut those doors: Secure (never sent over plain HTTP), HttpOnly (invisible to document.cookie), and SameSite (blocks cross-site sending, so it needs a real value like Strict, Lax, or None).
The insecure assumption is that a cookie "looks fine" — developers eyeball the header and miss a missing flag. Your job is an automated audit that DENIES by default: a cookie is only approved when ALL THREE protections are present.
Implement is_secure_cookie. Given a NUL-terminated Set-Cookie header string, return 1 only if it sets Secure, HttpOnly, AND a SameSite with a non-empty value; otherwise return 0. Scan attributes as ;-separated tokens, trim surrounding whitespace, and match attribute names case-insensitively. A NULL pointer must be rejected safely, never dereferenced.
SameSite with no =value (bare SameSite or SameSite=) is NOT hardened — reject it.SecureHttpOnlySameSite=1) must not count as the real flags.NULL both return 0.is_secure_cookie(hardened) -> 1is_secure_cookie(no_samesite) -> 0A single NUL-terminated C string set_cookie holding the value of one Set-Cookie header (may be empty; the pointer may be NULL). Attributes are separated by ';' and may have surrounding spaces.
Return int 1 if the header sets Secure, HttpOnly, and a valued SameSite attribute; otherwise return 0.
C11, single function, no I/O and no allocation. Do not dereference a NULL pointer. Only read the provided buffer up to its terminating NUL; never read past it. Attribute-name matching is case-insensitive.
int is_secure_cookie(const char *set_cookie){
/* TODO: audit the Set-Cookie header for Secure, HttpOnly, and SameSite.
Placeholder trusts every cookie — replace this. */
(void)set_cookie;
return 1;
}
Using strstr("Secure") which matches Secureish and substrings anywhere; forgetting SameSite needs an actual value; case-sensitive comparison that misses httponly; dereferencing a NULL header; approving when only one or two flags are present (failing to deny by default).
NULL pointer -> 0; empty string -> 0; bare SameSite or SameSite= (no value) -> 0; flag names embedded in a larger token must not match; leading/trailing whitespace around attributes; lowercase or mixed-case attribute names must still match.
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.