Task 1 of 3
The $25,000 Password Reset That Went to the Wrong Server
In 2016, a researcher discovered a critical password reset vulnerability in a major SaaS platform. By adding a single header to the password reset request, the reset link in the victim's email pointed to the attacker's server instead of the legitimate app. The victim clicks the link — the attacker captures the token — account taken over without ever accessing the victim's email inbox.
The bug: the app used the HTTP Host header to construct the reset URL. The attacker set Host: evil.com. The email went to the victim's inbox with an attacker-controlled link.
PASSWORD RESET BUGS — BUG BOUNTY
Host Header Injection
$25,000
Reset link domain poisoned via Host header — link in email points to attacker server
Predictable Token
$15,000
Sequential or timestamp-based tokens — brute forced with ffuf in seconds
Token Not Expiring
$5,000
Reset tokens valid for days — usable long after the intended window
Token Reuse
$8,000
Same token works multiple times after first use
No Rate Limiting
$3,000
Enumerate valid usernames and brute force tokens without lockout
1
In a Host header injection attack on password reset, what does the attacker need to do?
Answer all 1 question to continue