Free Article Link: Click for free!

A simple header… a full takeover.

Hey folks!

Today I want to share one of my favorite findings — a simple but deadly Host Header Injection that led to full account takeover via password reset link manipulation. It’s wild how a single overlooked header can lead to such critical impact.

Let me walk you through how I found this bug, chained it for max effect, and walked away with a $1000 reward.

Like any good recon session, I was exploring forgotten corners of target.com when I decided to test their password reset functionality. Why? Because “Forgot Password” flows are often goldmines — especially when developers get lazy with URL generation.

I typed in my email, hit the “Reset” button, and intercepted the request with Burp Suite.

Here’s the request:

POST /signup/send-password-reset-email HTTP/1.1
Host: target.com
Content-Type: application/json
Content-Length: ...

So far, nothing unusual — but I had a hunch.