A04 — Insecure Design Insecure

1000-ft view: these examples aren’t “bugs” in a single line — they’re bad designs. We’ll generate predictable reset links, skip re-auth for sensitive actions, accept cross-site settings changes, hand out reusable magic links, and let coupons be reapplied forever.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — Password Reset Flow

predictable token • no TTL • reusable

Why it’s bad: token = email|timestamp (guessable), no server-side store, no expiry, and can be reused indefinitely.

  1. Click Generate Insecure Reset Link and copy the URL.
  2. Paste below and Use Link — it will work every time.
Generate Insecure Reset Link

Attack 2 — Sensitive Action Re-Auth

no password prompt

Why it’s bad: lets a logged-in user change their email without re-entering the current password; session hijack ⇒ account takeover.

  1. Enter a new email and submit — no password required.

Attack 3 — CSRF: Settings Change

no CSRF token • cross-site form allowed

Why it’s bad: state-changing POST accepts requests from any origin, no token, no origin/referrer checks.

  1. Submit the legitimate form — it will work.
  2. Launch the “malicious” auto-submit — also works (vulnerability!).

Attack 4 — Magic Link Login

reusable • no expiry

Why it’s bad: the link never expires and can be used by anyone who has it, forever. No binding to device/IP, no single-use.

  1. Generate the link and copy it.
  2. Open it multiple times — it keeps “logging in”.
Generate Insecure Magic Link

Attack 5 — Coupon Logic

re-apply unlimited

Why it’s bad: applies SAVE50 on every click with no one-time or cap — totals can go negative.

  1. Set a subtotal and click Apply SAVE50 repeatedly.