spec checked
OWASP WSTG testing weak password change or reset
Documents password reset testing for HTTPS reset links, token reuse, token expiry, token predictability, account binding, old-password invalidation, and secure change or reset behavior.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Password reset | Choose password reset when an unauthenticated or partially authenticated user needs to regain account access by proving control of a recovery channel and setting a replacement password. | Submitting an identifier always leads to the same visible confirmation, regardless of whether an account exists. | OWASP WSTG supports testing HTTPS reset links, token reuse, expiry, predictability, account binding, and invalidation behavior. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Web Security Testing Guide. Last checked: .