How i found, reported and got the bounty of my first easy account take over on the reset password functionality

Assalam o alaikum wa rakh ma tullah

Advance apologise for any mistake

Nice to see you here i am writing my third article which is also very interesting because i found a bug three days ago at 11:30 to 11:40 approximately, reported it at 11:50 and the bounty was rewarded at 12:37 you can see

Lets start the story, it was my first account takeover i am very excited and must have to share it with all the community

So lets assume the target as target.com and its signup page is on app.target.com i have reported an info disclosure on same program a couple of week ago also but that was not applicable, so after 5 to 7 days i decided to test it again and open the target and was testing for account takeover via host header on forgot password option, forgot password email was looked like “any.app.target.com/reset-password/token?email=myemail.com”

i tried to change the host header from any.app.target.com to any.app.target.com.evil.pk and sent the password reset request, then go to gmail, there is no message then i also change the origin header to any.app.target.com.evil.pk there was also not any response in email, then i changed the origin header to its original form and go to referer header and change it to any.app.taget.com.evil.pk and…