Password Reset Bypass
Medium
A07:2021 - Authentication
200 points
Challenge Description
This password reset functionality has multiple vulnerabilities:
- Predictable reset tokens (sequential pattern: RST000XXX)
- Weak security questions with easily guessable answers
- No brute force protection on security question answers
- Information disclosure about account existence
Your goal is to reset the admin user's password and access their secret data by exploiting these vulnerabilities.
Learning Objective: Understand the importance of secure password reset mechanisms and why security questions are considered weak authentication.
Step 1: Request Password Reset
Step 2: Answer Security Question
Request a password reset first to get a token.
Step 3: Set New Password
Answer the security question to unlock password reset.
Audit Log
Submit Flag
Hints
-10% per hint
Common Security Answers
Frequently used answers:
fluffybuddymaxbellacharlielucydogcatnew yorklos angeleschicagolondonparisblueredgreenblackwhitepurplepizza
Debug Options