diff --git a/tests/hwsim/test_sae.py b/tests/hwsim/test_sae.py
index 75d4c115d..e0c654ce7 100644
--- a/tests/hwsim/test_sae.py
+++ b/tests/hwsim/test_sae.py
@@ -526,3 +526,52 @@ def test_sae_no_ffc_by_default(dev, apdev):
     if ev is None:
         raise Exception("Did not try to authenticate (2)")
     dev[0].request("REMOVE_NETWORK all")
+
+def sae_reflection_attack(apdev, dev, group):
+    if "SAE" not in dev.get_capability("auth_alg"):
+        raise HwsimSkip("SAE not supported")
+    params = hostapd.wpa2_params(ssid="test-sae",
+                                 passphrase="no-knowledge-of-passphrase")
+    params['wpa_key_mgmt'] = 'SAE'
+    hapd = hostapd.add_ap(apdev['ifname'], params)
+    bssid = apdev['bssid']
+
+    dev.scan_for_bss(bssid, freq=2412)
+    hapd.set("ext_mgmt_frame_handling", "1")
+
+    dev.request("SET sae_groups %d" % group)
+    dev.connect("test-sae", psk="reflection-attack", key_mgmt="SAE",
+                scan_freq="2412", wait_connect=False)
+
+    # Commit
+    for i in range(0, 10):
+        req = hapd.mgmt_rx()
+        if req is None:
+            raise Exception("MGMT RX wait timed out")
+        if req['subtype'] == 11:
+            break
+        req = None
+    if not req:
+        raise Exception("Authentication frame not received")
+
+    resp = {}
+    resp['fc'] = req['fc']
+    resp['da'] = req['sa']
+    resp['sa'] = req['da']
+    resp['bssid'] = req['bssid']
+    resp['payload'] = req['payload']
+    hapd.mgmt_tx(resp)
+
+    # Confirm
+    req = hapd.mgmt_rx(timeout=0.5)
+    if req is not None:
+        if req['subtype'] == 11:
+            raise Exception("Unexpected Authentication frame seen")
+
+def test_sae_reflection_attack_ecc(dev, apdev):
+    """SAE reflection attack (ECC)"""
+    sae_reflection_attack(apdev[0], dev[0], 19)
+
+def test_sae_reflection_attack_ffc(dev, apdev):
+    """SAE reflection attack (FFC)"""
+    sae_reflection_attack(apdev[0], dev[0], 5)