I found an interesting flaw in your password recovery mechanism that can get the ability of reset password without a valid token and knowing current password. I'm going to explain it here:
In https://www.twitterflightschool.com/ domain if you try to reset your password from https://www.twitterflightschool.com/student/authentication/request_password_reset you'll get a reset password link in your email that is like:
If you logged in to your account your application doesn't validate token at all, Actually for reset password, we don't need a token! and just via
https://www.twitterflightschool.com/student/authentication/reset_password/ link, we can reset our password!
In this domain, On the profile page, for changing the password you should enter the current password first but using this issue it's possible to bypass this and update the password without knowing the current password.
Note: For abusing this issue an attacker first need to hijack victim's session because while you using
https://www.twitterflightschool.com/student/authentication/reset_password/ to change password it changes current user password, So attack scenario is limited to when an attacker successfully hijacked a victim session and hi want to update password (but he don't know current password), Hi use this issue to bypass
Change Password in profile section and update password without knowing the current password.
With the assumption that the victim's twitter session is 'hijacked' and in a 'logged in' state for the hacker. The below steps must be followed In order to reproduce the security vulnerability.
Password successfully updated
For fixing this simply you can reject requests to
/student/authentication/reset_password/ endpoint without a valid token even while user logged in.
An attacker after hijacking a victim session can abuse this to update the password while he doesn't know the current password, By changing the password he can block user access to his account.
Best regards, @Naategh