Hey Guys,
Recently I have seen this attack vector mostly.
While resetting the password check for any redirect,callback,returnurl paramters in the post body.
Or try to param bruteforce it using any tool like param miner.
and try to change it to a custom bind payload.
{
"email":"victim@mail.com",
"Fuzz":"burpcollabarator/customclient"
}and try that you getting the payload link in the email.
