Broken Reset Logic

Broken Reset Logic occurs when an application's password or account reset functionality can be exploited due to flaws in the reset process, allowing attackers to bypass security measures.

This can lead to unauthorized account access or control, as attackers may exploit weaknesses in the reset procedure to gain access to user accounts.

Implement secure reset processes, such as token-based authentication with expiry times, validate token usage, enforce strong verification steps, and monitor and log reset activities for suspicious behavior.

The example below is based on PostSwigger's Password reset broken logic lab.

We first need to use the application as intented so we can understand how the reset functionality works (Figure 1).

Figure 1: Enumerating the password reset functionality.

On the above process (Figure 1), we notice that the final request includes the user's name but there is no check in place to validate if the token passed is tied to that specific username. For example, when setting a new password, it does not ask for the old password. As a result, we can use a new token in order to reset any other user's password (Figure 2).

Figure 2: Exploiting the reset functionality's broken logic.

Other things to note:

1. The token doesn't expire after a single use; it can be used for multiple requests in a short time frame.

2. The final reset request (Figure 1.3) just checks that the token passed in the URL matches the token passed as a parameter, thus, we can pass an arbitrary token (e.g. asd) and reset anyone's password.