Weak Password Reset Implementation

Weak Password Reset Implementation

Overview of the Vulnerability

When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to intercept the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover.

Business Impact

Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to login to a valid account and navigate to: {{URL}}

3. Click on the reset link

4. Capture the request using the HTTP interception proxy

5. Observe the weakness in the password reset implementation

Proof of Concept (PoC)

The following screenshot shows the weak password reset implementation:

{{screenshot}}

Recommendation(s)

Password reset tokens should be sufficiently long, random, have a short expiry time, and invalidated after first use.

For more information refer to the following guides relating to this vulnerability:

• https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#change-password-feature

• https://cwe.mitre.org/data/definitions/640.html

• https://cwe.mitre.org/data/definitions/620.html