Add content from: How I Found a Critical Password Reset Bug in the BB program(...

- Remove searchindex.js (auto-generated file)

src/pentesting-web/registration-vulnerabilities.md

@@ -178,8 +178,38 @@ JSON Web Token might be used to authenticate an user.
 hacking-jwt-json-web-tokens.md
 {{#endref}}
 
+## Registration-as-Reset (Upsert on Existing Email)
+
+Some signup handlers perform an upsert when the provided email already exists. If the endpoint accepts a minimal body with an email and password and does not enforce ownership verification, sending the victim's email will overwrite their password pre-auth.
+
+- Discovery: harvest endpoint names from bundled JS (or mobile app traffic), then fuzz base paths like /parents/application/v4/admin/FUZZ using ffuf/dirsearch.
+- Method hints: a GET returning messages like "Only POST request is allowed." often indicates the correct verb and that a JSON body is expected.
+- Minimal body observed in the wild:
+
+```json
+{"email":"victim@example.com","password":"New@12345"}
+```
+
+Example PoC:
+
+```http
+POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
+Host: www.target.tld
+Content-Type: application/json
+
+{"email":"victim@example.com","password":"New@12345"}
+```
+
+Impact: Full Account Takeover (ATO) without any reset token, OTP, or email verification.
+
+Mitigations:
+- Enforce uniqueness on registration: reject existing identities (409 Conflict) instead of updating.
+- Separate registration and password reset flows. For resets, require signed, single-use, time-limited tokens bound to the account and channel (email/OTP/magic link).
+- Add server-side rate limiting, auditing, and contract tests preventing unauthenticated endpoints from modifying existing users.
+
 ## References
 
+- [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
 - [https://salmonsec.com/cheatsheet/account_takeover](https://salmonsec.com/cheatsheet/account_takeover)
 
 {{#include ../banners/hacktricks-training.md}}

src/pentesting-web/reset-password.md

@@ -287,10 +287,48 @@ Mitigations:
 - Never expose skipOldPwdCheck paths to unauthenticated users; enforce authentication for regular password changes and verify the old password.
 - Invalidate all active sessions and reset tokens after a password change.
 
+## Registration-as-Password-Reset (Upsert on Existing Email)
+
+Some applications implement the signup handler as an upsert. If the email already exists, the handler silently updates the user record instead of rejecting the request. When the registration endpoint accepts a minimal JSON body with an existing email and a new password, it effectively becomes a pre-auth password reset without any ownership verification.
+
+Key indicators and discovery flow:
+- Enumerate API base paths and actions from client code (e.g., bundled JavaScript in web/mobile apps) and build a custom wordlist.
+- Fuzz actionable subpaths under a discovered base like /parents/application/v4/admin/FUZZ.
+- Server feedback such as "Only POST request is allowed." hints the required HTTP method; try POST with Content-Type: application/json.
+- Minimal required fields observed: email and password.
+
+Example ffuf enumeration:
+
+```bash
+ffuf -u https://www.target.tld/parents/application/v4/admin/FUZZ \
+     -w ./endpoints.txt -mc all -fs 0 -c
+```
+
+Pre-auth ATO PoC (overwriting an existing user's password):
+
+```http
+POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
+Host: www.target.tld
+Content-Type: application/json
+
+{"email":"victim@example.com","password":"New@12345"}
+```
+
+- Expected response: success flag or 2xx status, and the victim can be authenticated with the attacker-controlled password.
+
+Classification:
+- OWASP A01:2021 Broken Access Control / A07:2021 Identification & Authentication Failures
+- CWE-287 (Improper Authentication), CWE-640 (Weak Password Recovery Mechanism)
+
+Mitigations:
+- Do not upsert user records in signup flows. Enforce email uniqueness and return 409 Conflict when the email already exists.
+- Separate registration and password reset logic. For password resets, require proof of ownership (email link/OTP) using signed, single-use, time-limited tokens.
+- Add server-side auditing, rate limiting, and contract tests to ensure unauthenticated registration endpoints cannot modify existing accounts.
+
 ## References
 
 - [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
 - [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
+- [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
 
 {{#include ../banners/hacktricks-training.md}}
-