Password Reset

Blogs / Articles:

• http://imranparay.blogspot.com/2018/09/testing-password-reset-functionalities.html

• Forgot/Reset Password Test Cases - https://0xayub.gitbook.io/blog/

• https://www.anugrahsr.me/posts/10-Password-reset-flaws/

• https://twitter.com/cyph3r_asr/status/1433392117825499141?s=20

• https://speakerdeck.com/anugrahsr/playing-with-password-reset-functionality

Write-ups:

• https://link.medium.com/OVvYaKLng3

• https://link.medium.com/HZpTPtR2F3

• https://link.medium.com/bpYhuYR2F3

• https://link.medium.com/5PnwoRS2F3

• https://link.medium.com/A67jqlT2F3

• https://thezerohack.com/hack-instagram-again…

• https://ninadmathpati.com/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty…

• https://link.medium.com/MgdJoyY2F3

• https://link.medium.com/iRVWjs02F3

• https://link.medium.com/roeUih12F3

• https://medium.com/@fatnassifiras45/how-i-was-able-to-take-over-any-account-via-the-password-reset-functionality-ef1659f8b481

• https://hackerone.com/reports/792895

Mindmaps / Image References:

https://twitter.com/N008x/status/1302515523557548032

Tweets:

• https://twitter.com/cyscol/status/1295805411241725954
• https://twitter.com/HusseiN98D/status/1254888748216655872

When testing password fields, my preferred password is: %01%E2%80%AEalert%0D%0A

Let's break it down: %01 is SOH %e2%80%ae is RTLO %0d%0a is CRLF

Test cases on login: 1. can I log in only using %01? 2. without the CRLF in it? 3. is trela accepted instead of alert? (due to RTLO)

When testing password fields, my preferred password is:
%01%E2%80%AEalert%0D%0A

Let's break it down:
%01 is SOH
%e2%80%ae is RTLO
%0d%0a is CRLF

Test cases on login:
1. can I log in only using %01?
2. without the CRLF in it?
3. is trela accepted instead of alert? (due to RTLO)

https://twitter.com/secalert/status/1353303406044184577?s=20