🍪 Cookie Security Lab

A comprehensive security CTF challenge for learning cookie vulnerabilities through hands-on exploitation

Overview

Cookie Security Lab is an educational platform designed for security professionals and students to practice identifying, exploiting, and mitigating cookie-related vulnerabilities. This lab provides 6 realistic vulnerabilities with hashed CTF flags, step-by-step walkthroughs, and secure pattern examples.

Perfect for:

• 🎓 Security training programs
• 🏆 CTF competitions
• 🔬 Penetration testing practice
• 📚 OWASP ASVS learning
• 🛡️ Web application security courses

---

🎯 What You'll Learn

• ✅ Cookie tampering for authorization bypass
• ✅ XSS and session theft via missing HttpOnly
• ✅ Over-broad cookie scope exploitation
• ✅ Session fixation attacks
• ✅ CSRF (Cross-Site Request Forgery)
• ✅ Cookie value poisoning
• ✅ Secure cookie patterns (HttpOnly, Secure, SameSite)
• ✅ Server-side session management

---

🚩 CTF Challenges (6 Flags)

#	Vulnerability	Flag	Difficulty
1	Client-Controlled Role Cookie	FLAG{CLIENT_CONTROLLED_ROLE_59721BC5}	⭐ Easy
2	XSS Cookie Theft	FLAG{XSS_COOKIE_THEFT_5C6EA866}	⭐⭐ Medium
3	Broad Scope Cookie	FLAG{BROAD_SCOPE_COOKIE_0DE7C8AB}	⭐ Easy
4	Session Fixation	FLAG{SESSION_FIXATION_E3C79F1B}	⭐⭐ Medium
5	CSRF Role Change	FLAG{CSRF_ROLE_CHANGE_3051E639}	⭐⭐ Medium
6	Cookie Poisoning	FLAG{COOKIE_POISONING_252CD918}	⭐⭐ Medium

---

📋 Prerequisites

• Node.js ≥ 18 (Install)
• npm (comes with Node.js)
• Firefox or Chrome browser (recommended)
• Burp Suite Community (optional, for advanced exercises)

---

⚡ Quick Start

1. Clone Repository

git clone https://github.com/yourusername/cookie-security-lab.git
cd cookie-security-lab

2. Install Dependencies

npm install

3. Start Server

npm start

4. Open in Browser

Navigate to: http://localhost:3004

---

📚 Documentation

Document	Purpose
CTF-Walkthrough.md	Start here! Step-by-step flag collection guide
cookie-lab-guide.md	Detailed vulnerability explanations & OWASP mappings
cookie-lab-server.js	Well-commented vulnerable server code

---

🎓 Vulnerabilities Demonstrated

Vulnerability 1: Client-Controlled Role Cookie

• Risk: Authorization bypass via cookie tampering
• Method: DevTools or Burp Suite
• Learning: Never trust client-side authorization

Vulnerability 2: Missing HttpOnly & Secure

• Risk: JavaScript can steal session cookies; transmission over HTTP
• Method: XSS simulation & console
• Learning: HttpOnly is mandatory for session cookies

Vulnerability 3: Overly Broad Cookie Scope

• Risk: Cookies sent with every request (images, stylesheets, etc.)
• Method: DevTools Network tab
• Learning: Use specific paths and domain restrictions

Vulnerability 4: Session Fixation

• Risk: Attacker forces known session ID on victim
• Method: URL parameter manipulation
• Learning: Generate session IDs server-side only

Vulnerability 5: CSRF (Missing SameSite)

• Risk: Malicious form can change user settings
• Method: Form submission demo
• Learning: Implement CSRF tokens and SameSite

Vulnerability 6: Cookie Poisoning

• Risk: Server accepts arbitrary cookie values
• Method: Query parameter injection
• Learning: Never trust cookie inputs

---

🔐 Secure Reference Implementation

Each vulnerability includes a comparison with the secure pattern:

• /secure/login — Server-side session with opaque ID
• /secure/admin — Authorization via server-side lookup
• Proper flags: HttpOnly, Secure, SameSite=Strict

---

🛠️ Technology Stack

• Backend: Express.js (Node.js)
• Cookie Parser: cookie-parser
• Crypto: Node.js built-in crypto module
• Frontend: HTML/CSS (educational landing page)

---

📦 Project Structure

cookie-security-lab/
├── cookie-lab-server.js          # Main vulnerable server
├── cookie-lab-guide.md           # Comprehensive guide
├── CTF-Walkthrough.md            # Step-by-step solutions
├── package.json                  # Dependencies
├── README.md                     # This file
├── LICENSE                       # MIT License
├── .gitignore                    # Git ignore rules
└── .github/
    └── workflows/
        └── verify.yml            # CI/CD pipeline

---

🚀 Features

✨ 6 Unique Vulnerabilities - Each teaches distinct security concepts 🎯 Hashed CTF Flags - Anti-guessing, cryptographically verified 📖 Detailed Walkthroughs - Step-by-step exploitation guides 🔒 Secure Patterns - Compare vulnerable vs. secure implementations 🏷️ OWASP ASVS Mapped - Links to security standards 💬 Code Comments - Educational explanations throughout 🧪 CI/CD Pipeline - Automated verification

---

🎮 How to Complete the CTF

1. Follow the walkthrough: Open CTF-Walkthrough.md
2. Exploit each vulnerability: Use provided methods (DevTools, Burp, etc.)
3. Collect flags: Each exploit returns a unique hashed flag
4. Document learning: Take notes on security lessons
5. Compare secure patterns: Review /secure/* endpoints

---

🌐 Searchable Keywords

This project helps you learn:

• CTF (Capture The Flag)
• Cookie Security
• Web Vulnerabilities
• OWASP ASVS
• Session Management
• XSS (Cross-Site Scripting)
• CSRF (Cross-Site Request Forgery)
• Penetration Testing
• Security Training
• Vulnerable Code Examples

---

⚠️ Security Disclaimer

This lab intentionally contains security vulnerabilities for educational purposes.

• ❌ Do NOT deploy in production
• ❌ Do NOT use code patterns from this lab in real applications
• ✅ Study the vulnerabilities and security lessons
• ✅ Always implement secure patterns from /secure/* examples

---

📝 Lab Report Template

When completing this lab, document:

1. Vulnerability Name - What was exploited?
2. Root Cause - Why was it vulnerable?
3. Exploitation Method - How did you exploit it?
4. Flag - What did you collect?
5. Mitigation - How would you fix it?
6. OWASP ID - Reference standard

---

🔗 Learning Resources

• OWASP ASVS v4.0 — Session Management (V3) & Access Control (V4)
• PortSwigger Web Academy — Cookie & Session labs
• RFC 6265bis — Cookie specification
• OWASP Testing Guide — Session testing

---

💡 Tips for Success

1. Use Developer Tools - F12 in Firefox/Chrome, especially Application tab
2. Monitor Network Traffic - Watch cookie headers in real-time
3. Use Burp Suite - Repeater tab is excellent for testing variations
4. Read Console Logs - Server prints helpful debugging info
5. Compare Secure Code - /secure/* shows proper patterns
6. Document Everything - Take screenshots of each flag

---

🤝 Contributing

Found an issue or have suggestions?

• Open an issue on GitHub
• Submit a pull request with improvements
• Suggest new vulnerabilities to demonstrate

---

📄 License

This project is licensed under the MIT License - see LICENSE file for details.

---

🙏 Acknowledgments

• Built for security education and OWASP awareness
• Inspired by real-world cookie vulnerabilities
• References: PortSwigger, OWASP, RFC 6265bis

---

📞 Support

• 📖 Read CTF-Walkthrough.md for step-by-step help
• 📚 See cookie-lab-guide.md for detailed explanations
• 🔧 Check server logs for debugging info
• ❓ Review code comments for implementation details

---

Happy learning! 🎓 Collect all 6 flags and master cookie security! 🚩