Menu Icon

Cobalt Vulnerability Wiki

Cobalt Vulnerability Wiki

Categories

Toggle Arrow IconV2 - AuthenticationToggle Arrow IconV3 - Session Management
Insecure Storage of JWT Token JWT token over URL (GET method) Old Session do not invalidate after logout Old Session do not invalidate after password changePassword Link Expiration Errors Password Reset Token Sent Over HTTPSession Fixation for Concurrent SessionsSession Fixation for the Same AccountSession Timeout is Too Long Session token predictable / low entropy
Toggle Arrow IconV4 - Access ControlToggle Arrow IconV5 - Validation/SanitizationToggle Arrow IconV6 - CryptographyToggle Arrow IconV7 - Error LoggingToggle Arrow IconV8 - Data ProtectionToggle Arrow IconV9 - CommunicationsToggle Arrow IconV10 - Malicious CodeToggle Arrow IconV11 - Business LogicToggle Arrow IconV12 - Files ResourcesToggle Arrow IconV13 - APIToggle Arrow IconV14 - Config
Arrow Left

V3 - Session Management

Password Reset Token Sent Over HTTP

POC

1. Intercept the requests while resetting password


2. Observe that the password reset token is sent over HTTP.




Impact

Low



Likelihood

Low


Ready to get started?

our platformschedule a demo
Aircall logoAlgolia logoCangageCredit KarmaDattoEgnyteHubspotMovinimageMulesoftPendoSentaraSmarshSnowSolarisTalkdeskVerifoneKubraAxel SpringerNuna

Join some of these great clients we're proud to have helped