保護DataHogo
Security Encyclopedia/Auth & Sessions (Advanced)
highCWE-640A07:2021

Insecure Password Reset Flow

Password reset tokens without expiration, single-use enforcement, or proper randomness — allowing attackers to use leaked or guessable reset links to take over accounts.

How It Works

Password reset tokens are temporary credentials. If they don't expire, a token in an old email can be used years later. If they're not invalidated after use, the same link can reset the password multiple times. If the token is derived from predictable data (user ID, email, timestamp), an attacker can generate valid tokens without receiving the email.

Vulnerable Code
// BAD: predictable token, no expiry, not invalidated after use
async function createResetToken(email: string) {
  const token = Buffer.from(email + Date.now()).toString('base64');
  await db.users.update({ where: { email }, data: { resetToken: token } });
  await sendResetEmail(email, token);
}
Secure Code
// GOOD: random token, short TTL, single-use
async function createResetToken(email: string) {
  const token = randomBytes(32).toString('hex');
  const expiresAt = new Date(Date.now() + 15 * 60 * 1000); // 15 min
  const tokenHash = createHash('sha256').update(token).digest('hex');
  await db.passwordResets.create({ data: { email, tokenHash, expiresAt, used: false } });
  await sendResetEmail(email, token);
}

Real-World Example

Account takeover via password reset was the primary vector in multiple high-profile breaches. The pattern is simple: attacker knows the target's email, requests a reset, and if the token is predictable or non-expiring, account is taken without needing the email.

How to Prevent It

  • Use cryptographically random tokens (crypto.randomBytes(32))
  • Set a short expiry — 15 minutes is standard for password reset
  • Invalidate the token immediately after it's used
  • Store only the hash of the token, not the raw value
  • Rate limit reset requests per email address

Affected Technologies

nodejsNext.jsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Session Fixation

high

The server reuses the same session ID before and after login, allowing an attacker who planted a known session ID to hijack the authenticated session.

CWE-384A07:2021

No Account Lockout / Brute Force Protection

medium

Login endpoints with no rate limiting or lockout mechanism, allowing attackers to try unlimited username and password combinations until they find valid credentials.

CWE-307A07:2021

Weak Password Policy

medium

No minimum length, complexity, or common-password requirements on registration or password change, making user accounts easily brute-forced or guessed.

CWE-521A07:2021

OAuth State Parameter Missing

high

OAuth authorization flow implemented without a random `state` parameter, allowing CSRF attacks that link a victim's account to the attacker's OAuth identity.

CWE-352A07:2021