Introduction
- 获取victim email
- 篡改password reset 的HOST header为attacker.com
- Victim收到Password reset email
- 当victim访问reset url, token就会被泄露。
Ref
Don't Trust the Host Header for Sending Password Reset Emails | Lightning Security
Don't Trust the Host Header for Sending Password Reset Emails | Lightning Security