Need

Secure password reset functionality

Context

Description

import javax.servlet.http.*;
import java.io.IOException;

public class PasswordResetServlet extends HttpServlet {

    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String userEmail = request.getParameter("userEmail");
...

The vulnerability lies in the `doPost` method of the `PasswordResetServlet` class. This method is responsible for handling password reset requests. It retrieves the user's email from the request parameters and generates a password reset link. The problem here is that the reset link is generated using the server name retrieved from the HTTP request (`request.getServerName()`). This is a security risk because an attacker can manipulate the HTTP request to change the server name to a domain under their control. Once the attacker has manipulated the server name, the application will send the password reset link to the user's email. The link will point to the attacker's domain, not the application's domain. When the user clicks on the link, they will be redirected to the attacker's site where they can be tricked into entering their new password. This is known as password reset poisoning.

import javax.servlet.http.*;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.TimeUnit;

import org.apache.commons.lang3.RandomStringUtils;
...

The updated code includes several security enhancements to mitigate the password reset poisoning vulnerability: 1. **Input Sanitization and Validation**: The `sanitizeInput` method is used to sanitize and validate the `userEmail` parameter to prevent any malicious input. 2. **URL Encoding**: The `URLEncoder.encode` method is used to ensure that the `resetLink` is correctly formatted and cannot be manipulated by an attacker. 3. **HTTPS**: The `resetLink` now uses HTTPS instead of HTTP to ensure secure communication. 4. **Rate Limiting and Account Lockout**: The code now includes a rate limiting mechanism that locks out the user after `MAX_ATTEMPTS` failed attempts for `LOCKOUT_DURATION` minutes. 5. **Secure Token Generation**: The `generateToken` method now uses a secure token generation algorithm to generate unique and unpredictable tokens for each password reset request. 6. **Token Storage**: The generated tokens are now securely stored using the `BCryptPasswordEncoder` class. 7. **Secure Email Sending**: The `sendResetLink` method is used to send the reset link to the user's email address. This method should include a mechanism to verify the recipient's email address and prevent email spoofing. 8. **Logging and Monitoring**: Although not shown in the code, it is recommended to implement logging and monitoring to detect and respond to any suspicious activity related to password reset requests.

References