Authentication and Session Management

More results from our penetration testing....

Steps to reproduce:-
1) Create an account having an email address "a@site.com".
2) Now Logout and ask for password reset link. ( Don't use that password reset link. )
3) Login using the same password back and update your email address to "b@site.com"
4) Now logout and use the password reset link which was mailed to "a@site.com" in step 2.
5) Password will be changed.

Recommendation:-
All previous password reset links should automatically expire once a user changes his/her email address. 

see: https://hackerone.com/redirect?signature=39796d0705269c3865bd32369318b184631f197e&url=https%3A%2F%2Fwww.owasp.org%2Findex.php%2FTop_10_2013-A2-Broken_Authentication_and_Session_Management

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Authentication and Session Management #5104

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Authentication and Session Management #5104

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions