A04 — Insecure Design Secure

1000-ft view: Insecure design is about flawed flows and policies, not just code bugs. This page shows secure designs for five common flows: password reset, sensitive action re-auth, CSRF-resistant settings, one-time magic links, and coupon business rules.

Attack 1 Attack 2 Attack 3 Attack 4 Attack 5

Attack 1 — Password Reset Flow

random token + TTL + one-time

Secure idea: generate a cryptographically random token, store server-side with a short TTL and invalidate on first use. Don’t encode predictable data (email|timestamp) as the token.

Click Generate Secure Reset Link. Copy the link from the output.
Paste it into the box below and click Use Link (first use should succeed; subsequent uses should fail).

Generate Secure Reset Link

Attack 2 — Sensitive Action Re-Auth

recent password check

Secure idea: require the user’s current password (or WebAuthn) within a recent window (e.g., 5–15 minutes) before high-risk changes like changing email or enabling 2FA.

Enter a new email and your current password (simulated).
Submit — the endpoint verifies a recent re-auth window and CSRF token.

Attack 3 — CSRF: Settings Change

CSRF token + SameSite

Secure idea: protect state-changing POSTs with a per-session CSRF token and SameSite=Lax/Strict cookies. Validate token and origin/referrer.

Submit via the legitimate form (has CSRF token) — should succeed.
Try the Launch CSRF Attempt (no token) — should be rejected.

Attack 4 — Magic Link Login

one-time + short TTL

Secure idea: magic links should be single-use and expire quickly (e.g., 5–10 minutes). Store server-side and invalidate on use.

Click Generate Magic Link, copy the URL.
Paste below, click Open Link — first use succeeds, reuse fails.

Generate Magic Link

Attack 5 — Coupon Logic

one-time + caps

Secure idea: enforce business rules server-side: coupon applies once per session, minimum subtotal, and a maximum discount cap.

Adjust subtotal, click Apply SAVE50 to apply once.
Attempts to re-apply should be denied.