Every Web application provides a mechanism to reset our account password.
This generally prompts the user to enter his registered email address to get the password reset link.
The following are the few ways to test this functionality of that web application,
Test whether non registered users will also get a password reset links by requesting as a registered user.
Registered user gets the reset link, the link contains email. What happens when you change it with other registered email, and also with non registered email.
For Example alice has account in http://site.com and requested password reset she'll get an email like http://site.com/password_reset?email=alice@gmail.com. Now test the functionality of web application by entering another email in the above link.
This is very old technique, now a days every one using random token along with the email address in the reset link. One example of such a reset link is
In the above link test whether the email and token are associated or not. If they are not associated you can change the email with another email and can change the password.
And latest web applications removed that email field from the reset link, you'll have only reset token.
Post a Comment