# Password Reset

**Blogs / Articles:**

* <http://imranparay.blogspot.com/2018/09/testing-password-reset-functionalities.html>
* Forgot/Reset Password Test Cases - <https://0xayub.gitbook.io/blog/>
* <https://www.anugrahsr.me/posts/10-Password-reset-flaws/>
* <https://twitter.com/cyph3r_asr/status/1433392117825499141?s=20>
* <https://speakerdeck.com/anugrahsr/playing-with-password-reset-functionality>

**Write-ups:**

* [https://link.medium.com/OVvYaKLng3](https://t.co/jGpEwy3Lpt?amp=1)&#x20;
* [https://link.medium.com/HZpTPtR2F3](https://t.co/Cq3rHAIid1?amp=1)&#x20;
* [https://link.medium.com/bpYhuYR2F3](https://t.co/OJiiXUZgWS?amp=1)&#x20;
* [https://link.medium.com/5PnwoRS2F3](https://t.co/rJGr1hRtlw?amp=1)&#x20;
* [https://link.medium.com/A67jqlT2F3](https://t.co/1aYPhHoW2U?amp=1)&#x20;
* [https://thezerohack.com/hack-instagram-again…](https://t.co/ufBZWGwptT?amp=1)&#x20;
* [https://ninadmathpati.com/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty…](https://t.co/t3HFbNtXa5?amp=1)&#x20;
* [https://link.medium.com/MgdJoyY2F3](https://t.co/i1PQ79EJHA?amp=1)&#x20;
* [https://link.medium.com/iRVWjs02F3](https://t.co/uY7UkHi2Mf?amp=1)&#x20;
* [https://link.medium.com/roeUih12F3](https://t.co/LpkUySCXf1?amp=1)
* <https://medium.com/@fatnassifiras45/how-i-was-able-to-take-over-any-account-via-the-password-reset-functionality-ef1659f8b481>
* <https://hackerone.com/reports/792895>

**Mindmaps / Image References:**

![https://twitter.com/N008x/status/1302515523557548032](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MITqso262DjtqmTze2H%2F-MIVEn4Wzyoy0eneHto3%2Fimage.png?alt=media\&token=c64863b8-3b7d-411a-a44b-7550e4d9ed74)

<br>

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MGnZ79Pqsldy_MixlBV%2F-MGnaaxvGu_F5Go_aqmx%2Fimage.png?alt=media\&token=b6c3166f-3ce4-47e2-83e7-d2a32c15a524)

**Tweets:**

* <https://twitter.com/cyscol/status/1295805411241725954>
* <https://twitter.com/HusseiN98D/status/1254888748216655872>

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-MWEHVZ6dmUchjCHy5Kl%2F-MWEHiVPL12hzROKZbR_%2Fimage.png?alt=media\&token=95af2bd9-155d-4699-ba20-c0996d2a55cf)

[When testing password fields, my preferred password is: %01%E2%80%AEalert%0D%0A](https://twitter.com/secalert/status/1353303406044184577?s=20)

[Let's break it down: %01 is SOH %e2%80%ae is RTLO %0d%0a is CRLF](https://twitter.com/secalert/status/1353303406044184577?s=20)

[Test cases on login: 1. can I log in only using %01? 2. without the CRLF in it? 3. is trela accepted instead of alert? (due to RTLO)](https://twitter.com/secalert/status/1353303406044184577?s=20)

```
When testing password fields, my preferred password is:
%01%E2%80%AEalert%0D%0A

Let's break it down:
%01 is SOH
%e2%80%ae is RTLO
%0d%0a is CRLF

Test cases on login:
1. can I log in only using %01?
2. without the CRLF in it?
3. is trela accepted instead of alert? (due to RTLO)

https://twitter.com/secalert/status/1353303406044184577?s=20
```

![](https://3284959579-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LmdDaax1PAvLD05wJYt%2F-Ml-9RfM_dDYxlORC0hR%2F-Ml-AHaQDIRfRpLt2jqG%2Fimage.png?alt=media\&token=6bfdb0d8-1ea1-41fe-a06f-d88c062d3d02)