Back to Host HeaderHost Header 00: Reset Link Poisoning
Goal: make the application generate a password reset link pointing to your own host.
Hints
- The app trusts the incoming host when building absolute URLs.
- It never checks that the host is one of its own domains.
- You win as soon as the reset link points somewhere else.
Why this works
If an app uses a user-controlled Host header to build password reset links, attackers can poison emails and steal reset tokens.