Broken Authentication

Insecure Reset Password

The Reset password functionality can be triggered by visiting an URL such as below

The trust establishment in reset password is inherently weak because the login name and token parameter required to execute the password reset is user supplied. Additionally the apparently random key is the MD5 hash of login name which can be easily computed by an attacker.

This issue can be exploited by an attacker to reset any user's password by using an URL such as below<username>&token=<md5(username)>

You can obtain the md5sum for user by running the following

echo -n 'user' | md5sum


Store the password reset request along with a randomly generated token string and expiry

Email a reset link containing that token and username to the user

Validate the reset token for the user before password reset


Implemented in the following files

  • core/authHandler.js
  • models/passreset.js

The fix has been implemented in this commit

Insecure Session Secret

The session secret is used is insecure and is used in the example snippets across the web

Vulnerable Code snippet


  secret: 'keyboard cat',
  resave: false,

This allows an attacker to

  1. Decrypt a user's session
  2. Potentially forge the session cookie and bypass authentication


Always use unique, long, secure random generated for secrets


Implemented in the following files

  • server.js
  • config/server.js

The fix has been implemented in this commit


  • Do not copy paste code without understanding what it does
  • Rotate session secrets
  • Store secrets in environment variables or config files
  • Consider using a secret management solution if your scale demands it


results matching ""

    No results matching ""