Test the password reset process

Application password change and reset is a self-service mechanism for changing or resetting a password for users without administrator intervention. If it is weak, it allows an attacker to change any user's password and thus hijack their account. You must protect the password reset mechanism from unauthorized changes, e.g. by using one-time authorization tokens sent to the e-mail.

In one of the applications tested, the server did not verify the password change authorization token. Knowing the user's email, you can change their password by sending the appropriate request to the server presented below:

Knowing a user's e-mail address, you can change their password by sending a request to the server

In response, the server sent a password change confirmation presented below:

password change confirmation

Chcesz wiedzieć więcej?

Zapisz się i bądź informowany o nowych postach.

Nigdy nie podam, nie wymienię ani nie sprzedam Twojego adresu e-mail. W każdej chwili możesz zrezygnować z subskrypcji.

Bookmark the permalink.

Podziel się swoją opinią na temat artykułu