145 lines
2.4 KiB
Markdown
145 lines
2.4 KiB
Markdown
|
# Password reset broken logic
|
||
|
|
In this scenario, a web application's password reset functionality is vulnerable due to flawed logic. This vulnerability allows an attacker to reset the password of any user, without requiring the correct token. Let's discuss the secure programming approach for this scenario and provide examples of non-conforming (vulnerable) and compliant (secure) code.
|
||
|
|
|
||
|
|
|
||
|
|
## Secure programming approach:
|
||
|
|
* **Token Validation:** Ensure that the password reset token is validated on the server side before allowing the password reset process.
|
||
|
|
|
||
|
|
* **Uniqueness and Token Expiration:** Generate a unique token for each password reset request and set an expiration time for the token.
|
||
|
|
|
||
|
|
* **Secure Token Transfer:** Use HTTPS for secure token transfer.
|
||
|
|
|
||
|
|
* **User Authentication:** Verify that the token is used by the intended user.
|
||
|
|
|
||
|
|
* **Error handling:** Provide generic error messages to prevent enumeration attacks.
|
||
|
|
|
||
|
|
* **Logging and Monitoring:** Log password reset attempts and monitor for suspicious activity.
|
||
|
|
|
||
|
|
## Noncompliant Code (JavaScript):
|
||
|
|
```javascript
|
||
|
|
// JavaScript/Node.js example of non-compliant code
|
||
|
|
app.post('/forgot-password', (req, res) => {
|
||
|
|
const { username, newPassword } = req.body;
|
||
|
|
// Token is not validated
|
||
|
|
updateUserPassword(username, newPassword);
|
||
|
|
res.send('Password updated successfully');
|
||
|
|
});
|
||
|
|
```
|
||
|
|
|
||
|
|
## Compliant Code (JavaScript):
|
||
|
|
```javascript
|
||
|
|
// JavaScript/Node.js example of compliant code
|
||
|
|
app.post('/forgot-password', (req, res) => {
|
||
|
|
const { username, newPassword, token } = req.body;
|
||
|
|
if (!validateToken(username, token)) {
|
||
|
|
res.status(400).send('Invalid or expired token');
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
updateUserPassword(username, newPassword);
|
||
|
|
res.send('Password updated successfully');
|
||
|
|
});
|
||
|
|
function validateToken(username, token) {
|
||
|
|
// Logic to validate the token for the user
|
||
|
|
// Check if the token is valid, belongs to the user, and has not
|
||
|
|
expired
|
||
|
|
// Return true if valid, false otherwise
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
In the example above, the server validates the token before allowing a password reset. This ensures that only the intended user can reset their password using a valid and non-expired token.
|
||
|
|
|
||
|
|
## Additional security measures:
|
||
|
|
* Implement rate limiting to prevent brute force attacks.
|
||
|
|
* Notify users when their passwords are reset.
|
||
|
|
* Asking for additional authentication (such as security questions or email verification) in the password reset process.
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|