S04 Custom Password Flows
What this means
SiteShadow flagged custom password reset/change flows. Password flows are deceptively tricky: small mistakes (weak tokens, missing expiry, account enumeration, missing rate limits) can lead directly to account takeover.
Why it matters
Custom flows are easy to get wrong and can enable account takeover.
- Reset token abuse: predictable/long-lived tokens can be guessed or replayed.
- Account enumeration: "email not found" responses help attackers identify valid accounts.
- Brute force: missing rate limits on reset/OTP endpoints enables automated takeover.
Safer examples
1) Use high-entropy, single-use, short-lived reset tokens
Generate with CSPRNG, store hashed server-side, expire quickly, and invalidate after use.
2) Make responses uniform
For reset requests, respond the same whether the account exists or not (to reduce enumeration).
3) Add throttling and monitoring
Rate limit reset/verify endpoints and alert on spikes (see RATE01-02 / CWE-799).
How SiteShadow detects it (high level)
- Detects custom reset/verify endpoints and token handling patterns.
- Flags weak token generation/storage, missing expiry, and missing throttling around password flows.
References
- OWASP Top 10: https://owasp.org/Top10/
---