Identity Management / Password Reset Token Does Not Expire

Description

Password reset token does not expire is a vulnerability related to identity management, found in web and API applications. It is listed in the Common Weakness Enumeration (CWE) directory as CWE-259. According to the OWASP Testing Guide, this vulnerability occurs when a user or application can generate a token that can be used to reset a password, but the token does not expire, meaning that the user has an unlimited amount of time to use it. This can create a security risk as an attacker can potentially use the token before it expires, allowing them to gain access to the application.

Risk

The risk of this vulnerability is high because an attacker can gain access to the application if the token is not expired. The risk assessment for this vulnerability is 8.1 (High) according to the OWASP risk rating methodology.

Solution

The best way to address this vulnerability is to ensure that all password reset tokens have an expiration date. This way, the token will be rendered useless after a certain amount of time and access to the application can be denied to the attacker. Additionally, it is essential to ensure that the tokens are stored securely and cannot be accessed by the attacker.