Broken Authentication Testing

This fragment is a high-risk, actionable guide for credential stuffing attacks and includes explicit operational security advice to avoid detection. It should be treated as malicious content: do not use or execute these instructions without explicit, documented authorization from the target owner. Defenders should monitor for described indicators (matched login attempts, slow low-and-slow patterns, diverse IPs with consistent credential pairs) and treat leaked credential replay attempts as high-priority incidents.

This document is an actionable test/attack plan targeting password reset flows. It presents realistic techniques (token reuse/modification, email parameter manipulation, brute-force/rate-limit evasion) that could enable account takeover if a web application is implemented insecurely. It should be used only by authorized testers; defenders should verify reset tokens are unpredictable, single-use, tied to the correct account server-side, and protected by rate-limiting, logging, and MFA for high-value accounts. No malicious code or obfuscation is present, but the plan's operational guidance increases the security risk if used maliciously.