Replayable Password Change Request Across Sessions.

Summary The report describes a vulnerability in the password change endpoint (PUT /authentication/password) that allows for replay attacks. An attacker who captures a valid password change request can reuse the exact same request later, even from a different session or device, to reset the password again. This vulnerability persists across session renewals and does not require fresh CSRF tokens, timestamps, or other anti-replay mechanisms. Steps to Reproduce Log in as a user in Browser A using valid credentials. Intercept the password change request in Burp Suite. Send the captured request to Burp Repeater and save it for later use. Logout from Browser A; attempting to replay the request shows "isAuth:False". Log in again as the same user in another Browser B. From Burp Repeater, replay the exact same password change request captured in Step 3. Observe that the request succeeds and the password is changed, even though it originated from a different session, after the old session was logged out, and reused the exact same body and headers. A video recording (Recording_2025-07-24_154829.mp4) was provided as proof of concept. Impact The impact allows an attacker who has obtained a user's password change request to persistently maintain control over the account by replaying the captured request. This vulnerability allows unauthorized reuse of stale sessions/tokens to perform sensitive actions like password changes from any device or browser, as long as the victim is logged in. The attacker essentially has a "hidden backdoor" into the account by saving and reusing an old request. This breaks fundamental expectations of session security. CWE-613 (Insufficient Session Expiration) typically impacts authentication systems by allowing attackers to reuse old session credentials or session IDs for authorization purposes. This could lead to unauthorized access to sensitive functionality and data, bypassing proper authentication controls.