I'm new to b2c so excuse me if my question is about something obvious. There is a custom policy that is used for set password after registration. The policy is working fine and updates the password. If the same link is used again in the browser the policy correctly shows an error that the activation link has expired. The problem is that if someone captures the HTTP requests and particularly the POST request that changes the password and sends it again in a tool with a new value for the password field it actually updates the password in b2c. Could you please recommend how to secure this POST step?
Asked
Active
Viewed 82 times
0
-
Why would an attacker change a password when they already have it from the original attack? That would only raise suspicion. – Jas Suri - MSFT Sep 17 '20 at 10:27
1 Answers
0
You could add a CAPTCHA challenge as described by this Azure AD B2C sample.
This should prevent a direct replay of the registration step.
Chris Padgett
- 14,186
- 1
- 15
- 28