hi imagine if we have this website

notice that we have my account page so let’s navigate to it

as we see we have the forgot password functionality

let’s try it

as we see we have the user carlos which was our target

so why not we try to redirect this request to a server that the attacker control

look at the header before

now look after we change it

now let’s forward this request

notice that the password reset token of the victim was sent to us

so let’s try to reset the user password

now let’s send the request

now let’s go login with user carols