Hostheader. This helps in constructing a resetting password link by keeping the origin (
example.com). By manually changing the
Hostheader and using a malicious origin (
malicious.com), the user is redirected to malicious.com when clicking the link.
Hostheader is reflected in the origin in the link (
https://www.malicious.com/reset-link.php?token=$TOKEN_VALUE, then it's vulnerable
Refererheader contains information about the previous web page from which a request has been made. It
example1.comhas a link pointing to
example2.com, when clicking on that link, the
Refererheader will be set to
Refererheader will print out the whole URL, containing query parameters and so on, not just the origin.
Refererheader (if set), contains the token.
email=$EMAIL. By modifying this parameter, multiple tests can be done to take over the account requesting a reset password.