Identity Management / Password Reset Token Does Not Expire

Description

Password reset token does not expire is a vulnerability related to identity management, found in web and API applications. It is listed in the Common Weakness Enumeration (CWE) directory as CWE-259. According to the OWASP Testing Guide, this vulnerability occurs when a user or application can generate a token that can be used to reset a password, but the token does not expire, meaning that the user has an unlimited amount of time to use it. This can create a security risk as an attacker can potentially use the token before it expires, allowing them to gain access to the application.

Risk

The risk of this vulnerability is high because an attacker can gain access to the application if the token is not expired. The risk assessment for this vulnerability is 8.1 (High) according to the OWASP risk rating methodology.

Solution

The best way to address this vulnerability is to ensure that all password reset tokens have an expiration date. This way, the token will be rendered useless after a certain amount of time and access to the application can be denied to the attacker. Additionally, it is essential to ensure that the tokens are stored securely and cannot be accessed by the attacker.

Example

Below is an example of a code block from CVE-2020-8999 that shows a vulnerability related to Password reset token does not expire:

if (!$user->checkResetToken($token))
{
    # token not found
    throw new \Exception('Invalid token!');
}

The code block shows that there is no expiration date set for the token, meaning that it can be used by an attacker to gain access to the application.