Broken Authentication or Session Management
Password reset link does not expire
- You create an account in example.com. You add email [email protected]
- Your email account gets hacked.
- The hacker figures out you have a user on example.com. The hacker clicks the reset-password-link. But does not use it.
- The hacked person figures out that he is hacked and thus goes to example.com to change his password.
- The hacker now clicks on the link and manage to reset the password.
The problem here is that the first reset-link should be blocked once the second is sent.
Relevant bug bounty reports
https://hackerone.com/reports/23579 https://hackerone.com/reports/39203 https://hackerone.com/reports/23921
Cookie does not expire
An easy way to test this is by using burp-suite.
- Open burp-suite
- Login to a website you want to test
- Intercept the request, anyone will do.
- Right click on the request in burp-suite and click on "Send to repeater". Now you have saved that request for later. With the current cookie.
- Log out from the website
- Go to the Repeater-tab in burp and click on "Go".
- Verify that you are redirected to the login.