Skip to content

Add guidance for testing password reset token exposure via Referer headers #1355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
YK-03 wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Add guidance for testing password reset token exposure via Referer headers #1355

Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ef7cc79
Improve guidance on secure storage of password reset tokens
YK-03 Mar 5, 2026
a9510b7
Add guidance for testing password reset token exposure via Referer he…
YK-03 Mar 6, 2026
d72aded
Merge branch 'master' into improve-reset-token-referer-testing
YK-03 Mar 6, 2026
bf24d5c
Update 09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
kingthorin Mar 6, 2026
b128e7b
Update 09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
kingthorin Mar 6, 2026
8a8cc49
Improve WSTG-ATHN-09 by adding guidance for testing password reset to…
YK-03 Mar 7, 2026
4280158
Address review comments: improve WSTG-ATHN-09 reset token Referer tes…
YK-03 Mar 7, 2026
fbe018f
Refine testing instructions for reset token exposure
YK-03 Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 38 additions & 2 deletions ...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,10 +113,46 @@ In this model, the user is emailed a link that contains a token. They can then c

- Is the link exposed to third parties?

If the page that the user is taken to includes content from other parties (such as loading scripts from other domains), then the reset token in the URL may be exposed in the HTTP `Referer` header sent in these requests. The `Referrer-Policy` HTTP header can be used to protect against this, so check if one is defined for the page.
#### Testing for Reset Token Exposure via Referer Headers
When a password reset link contains the token in the URL, such as: `https://example.com/reset?token=ABC123`

Additionally, if the page includes any tracking, analytics or advertising scripts, the token will also be exposed to them.

the token may be included in the HTTP `Referer` header when the page
loads external resources such as analytics scripts, images, or
JavaScript from third-party domains.

Testers should verify whether the reset token is leaked to external
services by inspecting network requests made by the reset page.

**Testing steps:**
Copy link
Copy Markdown
Collaborator

@kingthorin kingthorin Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this already within a "How to Test" section?


1. Trigger a password reset request and open the reset link.
2. Inspect network requests using browser developer tools or an
intercepting proxy such as Burp Suite or OWASP ZAP.
3. Identify requests made to external domains.
4. Check whether the full reset URL, including the token, appears in
the `Referer` header of these requests.

If the token is transmitted to third-party domains, an attacker
controlling those resources may capture the token and use it to reset
the victim's password.

**Mitigations include:**

- Avoid embedding sensitive tokens directly in URLs where possible.
- Use short-lived tokens and invalidate them after use.
- Avoid loading third-party scripts or analytics on password reset pages.
- Configure an appropriate `Referrer-Policy` header such as:

```
Referrer-Policy: strict-origin
```

or

```
Referrer-Policy: no-referrer
```
Copy link
Copy Markdown
Collaborator

@kingthorin kingthorin Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this isn't already covered in existing content it should be fit into the Remediation section. so that the entire page follows the established template.

Copy link
Copy Markdown
Collaborator

@kingthorin kingthorin Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also the header examples should use inline code fences since they aren't multiline blocks.

- Are the emails sent from a domain with anti-spoofing protection?

The domain should implement SPF, DKIM, and DMARC to prevent attackers from spoofing emails from it, which could be used as part of a social engineering attack.
Expand Down