Back to directory

WRITEUP #6143

Don't Trust the Host Header for Sending Password Reset Emails

Auth BypassPassword resetAccount takeover

by@jackhcable(Jack Cable)

Bounty

1,500

Program

Mavenlink

Published

Dec 13, 2017

Added to HackDex

Sep 15, 2022

Read Full Writeuphttps://lightningsecurity.io/blog/host-header-injection/

▸ RELATED WRITEUPS

Interesting Story of an Account Takeover Vulnerability

Auth BypassAccount takeover

Instagram and Meta 2FA Bypass by Unprotected Backup Code Retrieval in Accounts Center

Auth Bypass2FA / MFA bypass

Forced SSO Session Fixation

Account takeover on 8 years old public program

Auth BypassAccount takeover

Breaking the Barrier: Admin Panel Takeover Worth $3500

Auth BypassAuthentication bypass

Built with ❤️ by Shubham Rawat