Forgot Password

Username Parameter in Reset Token

• Request reset for your account → get link with token + username=yourname.

• Replace username with victim's username.

• Use your token to reset victim's password → ATO.

Password Reset Poisoning (Host Header)

• Request reset for victim's email.

• Intercept & change Host: target.com → Host: attacker.com (or add X-Forwarded-Host: attacker.com).

• Victim receives link pointing to your domain → capture token → ATO.

HTTP Parameter Pollution (Multiple Emails)

• Send reset request with duplicate params: email=victim@target.com&email=attacker@target.com

• Reset link for victim may be delivered to your inbox → ATO.