Failure to invalidate session on Logout and Password reset
Check if forget the password reset link/code uniqueness
Check if the reset link expires or not if it's not used by the user for a certain amount of time
Find the user account identification parameter and tamper ID or parameter value to change other user's password
Check for weak password policy
Weak password reset implementation Token is not invalidated after use
If the reset link has another parameter such as date and time, then. Change the date and time value in order to make an active & valid reset link
Check if security questions are asked. How many guesses are allowed? --> Lockout policy maintained or not?
Add only spaces in a new password and confirmed password. Then Hit enter and see the result
Does it display the old password on the same page after completion of the forget password formality?
Ask for two password reset links and use the older one from the user's email
Check if the active session gets destroyed upon changing the password or not.
Weak password reset implementation Password reset token sent over HTTP
Send continuous forget password requests so that it may send sequential tokens
No Rate limit for forgotten password
Last updated 1 month ago
