Password change form
POST https://qoeuhswwetmn.net/password/change_passwd.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 111 Origin: https://qoeuhswwetmn.net DNT: 1 Connection: keep-alive Referer: https://qoeuhswwetmn.net/password/change_passwd.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Host: qoeuhswwetmn.net username=and.tessen%40qoeuhswwetmn.net&OldPwd=Horset62%26L&NewPwd=gamer4Y2L21&NewPwdConf=gamer4Y2L21
Given the above intercepted request, are there any security issues?
The fact that there are no tokens, might that be a concern?
A user is actually compelled to know the old password and I think this is actually a good point.
Also, since there are no cookies (auth cookies) this means that multiple calls cannot be performed
Best practices related to sensitive form, would they imply the use of tokens?