Expected Findings
- Different responses for known vs unknown emails enable account enumeration.
- Reset tokens are 6-digit sequential numbers, brute-forceable.
- Tokens travel in URL query strings and end up in access logs and Referer headers.
Account Recovery
Password Reset Flaws
The forgot-password flow leaks account existence, accepts predictable tokens, and ships the token in a GET request that web servers happily log.
Reset probe
Primary Flows
- Forgot (existing) Returns 200 + sent=true
- Forgot (unknown) Returns 404 + reason=unknown
- Reset via GET Token exposed in URL
Signals
Token
token = strconv.Itoa(rand.Intn(1000000)) // 6 digits, no rate limit