Member-only story
Password reset link not expiring
After a user has used a password reset token, that token should be burned and should not be used for that account again. The problem is that sometimes developers forget to invalidate these tokens. This would allow several attack avenues such as the attacked being able to generate an infinite amount of tokens because the developer does not invalidate a token after requesting a new one or the attacker could phish a link that might be thought to be expired.
Recommendations to fix
Ensure that generated tokens or codes are:
- Invalidated after being used
- Invalidated after requesting a new token
- Invalidated after a certain period to prevent brute-forcing
Token leak via the referrer header
The referrer header is a header that includes data about the previous webpage that is linked to the current one. Attackers can capture this header if the request is made from the password reset link to their domain. This is a complex attack scenario…
