OWASP · YK-03 · Mar 5, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md b/...ication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities.md
@@ -113,10 +113,47 @@ In this model, the user is emailed a link that contains a token. They can then c
 
 - Is the link exposed to third parties?
 
-  If the page that the user is taken to includes content from other parties (such as loading scripts from other domains), then the reset token in the URL may be exposed in the HTTP `Referer` header sent in these requests. The `Referrer-Policy` HTTP header can be used to protect against this, so check if one is defined for the page.
+  #### Testing for Reset Token Exposure via Referer Headers
+  When a password reset link contains the token in the URL, such as:
 
-  Additionally, if the page includes any tracking, analytics or advertising scripts, the token will also be exposed to them.
+  https://example.com/reset?token=ABC123
 
+  the token may be included in the HTTP `Referer` header when the page
+  loads external resources such as analytics scripts, images, or
+  JavaScript from third-party domains.
+
+  Testers should verify whether the reset token is leaked to external
+  services by inspecting network requests made by the reset page.
+
+  **Testing steps:**
+
+  1. Trigger a password reset request and open the reset link.
+  2. Inspect network requests using browser developer tools or an
+     intercepting proxy such as Burp Suite or OWASP ZAP.
+  3. Identify requests made to external domains.
+  4. Check whether the full reset URL, including the token, appears in
+     the `Referer` header of these requests.
+
+  If the token is transmitted to third-party domains, an attacker
+  controlling those resources may capture the token and use it to reset
+  the victim's password.
+
+  **Mitigations include:**
+
+  - Avoid embedding sensitive tokens directly in URLs where possible.
+  - Use short-lived tokens and invalidate them after use.
+  - Avoid loading third-party scripts or analytics on password reset pages.
+  - Configure an appropriate `Referrer-Policy` header such as:
+
+    ```
+    Referrer-Policy: strict-origin
+    ```
+
+    or
+
+    ```
+    Referrer-Policy: no-referrer
+    ```
 - Are the emails sent from a domain with anti-spoofing protection?
 
   The domain should implement SPF, DKIM, and DMARC to prevent attackers from spoofing emails from it, which could be used as part of a social engineering attack.