One web app I had the pleasure of working on was accessible to external customers. As with almost any other online system, customers would occasionally forget their passwords. This required a call to customer support, along with some account verification, to get a password reset. This wasn't the best use of customer support's time, and was a bit of a security hole. Most online systems allow a user to request a password reset, with an email sent to the customer's email address containing a password reset link. The particular web framework we were using didn't have this functionality built in, so it had
to be added.
The developers in question designed a system that would generate a randomized token associated with a specific account. Anyone in possesion of the token could use it to reset the account's password within a given timeframe of the token being created (e.g.: 5 minutes). A URL link was generated that contained the token, and inserted into an email that was sent to the client.
Only the tokens weren't sanitized.
That's right. Just like the certification with a swear in it.
Because the URL was inserted into an email that was sent to customers, customers were potentially being sent URLs containing swear words. Luckily this was discovered fairly quickly, and fixed before we heard of any cases where customers actually received any @*@&^ing password resets.
Remember: sanitize both your inputs, and your outputs!
Top comments (0)