Testing Password Reset Flows for Token Reuse and Host Poisoning

CATEGORY: TUTORIALS DATE: 2026-02-08

Research by badjuju - Red Orca

#appsec #auth #testing

Step-by-step methodology for validating reset flow token handling, expiry controls, and host header trust boundaries.

Summary

This tutorial shows a practical workflow for testing password reset implementations, including token lifecycle controls and host header behavior.

Checklist

Request multiple reset tokens and verify single-use guarantees.
Test token expiry with boundary timestamps.
Tamper with Host and forwarding headers to detect poisoned reset links.
Confirm account lockout and telemetry behavior for repeated reset attempts.

Example Probe

curl -i https://target.example/reset/request \
  -H "Host: evil.test" \
  -d "email=user@example.com"

If generated links include attacker-controlled hosts, escalate as high severity.