class AccountRecoveryTagger
- AccountRecoveryTagger
- Tagger
- Reference
- Object
Overview
Flags credential-management and account-recovery endpoints — password reset/change, forgot-password, email change, MFA/2FA enrollment, OTP, and account verification/recovery. These are the classic account- takeover surface: review for reset-token leakage, host-header injection in reset links, account enumeration, missing rate limiting, and weak step-up verification.
Defined in:
tagger/taggers/account_recovery.crConstant Summary
-
STRONG_PARAM_NAMES =
Set {"new_password", "old_password", "current_password", "password_confirmation", "password_confirm", "reset_token", "reset_password_token", "otp", "otp_code", "mfa_code", "totp_code", "verification_code", "recovery_code", "confirmation_token"} -
Parameter names that mark a credential change or a recovery/step-up code regardless of the route.
-
STRONG_PATH_PARTS =
Set {"password", "passwd", "forgot", "mfa", "2fa", "totp", "otp", "webauthn", "passkey", "passkeys"} -
Path segments that on their own mark a credential/recovery action.
password/mfa/otp/forgotare not benign as a standalone path component.recover/recoveryare intentionally not here — they collide with disaster/backup/data recovery — and are matched in the weak tier instead (so/account/recoverytags but/disaster-recoverydoes not). -
STRONG_SQUISHED_SEGMENTS =
Set {"twofactor", "multifactor", "secondfactor"} -
Spelled-out multi-factor path words. The generic separator split turns
two-factorinto the harmless tokens[two, factor], so themfa/2faforms above never match these. Checked against separator-stripped slash segments instead, sotwo-factor,two_factor, andtwofactor(and thesecond-/multi-spellings) all match. -
WEAK_PATH_PARTS =
Set {"verify", "verification", "confirm", "confirmation", "resend", "reset", "email", "username", "change", "update", "phone", "account", "recover", "recovery"} -
Weaker, generic action words. Tag only when two distinct weak tokens co-occur (e.g.
/verify-email,/change-email,/account/recovery), so a bare/resetor/confirmon an unrelated resource is not flagged.change/updatepair withemail/usernameto catch the email-change ATO vector.