GitBook: [master] 2 pages and one asset modified

2020-08-24 09:12:55 +00:00 · 2020-08-24 09:12:55 +00:00 · 015ef42972
parent 4a54650526
commit 015ef42972
3 changed files with 12 additions and 0 deletions
--- a/.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png
+++ b/.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png
--- a/SUMMARY.md
+++ b/SUMMARY.md
@ -406,4 +406,5 @@
 * [1911 - Pentesting fox](1911-pentesting-fox.md)
 * [Online Platforms with API](online-platforms-with-api.md)
 * [Phising Documents](phising-documents.md)
+* [Reset Password](reset-password.md)

--- a/reset-password.md
+++ b/reset-password.md
@ -0,0 +1,11 @@
+# Reset Password
+
+Sometimes in order to reset a password you contact an api endpoint and **send the email you want to reset the password**, like in the following example:
+
+![](.gitbook/assets/1_6qc-agcjyzwmf8rgnvr_eg.png)
+
+The back-end may take the information present in the **Host header** and use it for the link where the token to reset the password is going to be sent.  
+For example, in this case if could send the reset password email to _something@gmail.com_ and set the token link to _https://bing.com/resetpasswd?token=12348rhfblrihvkurewfwu23_
+
+Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491](https://medium.com/@abhishake100/password-reset-poisoning-to-ato-and-otp-bypass-1a3b0eba5491)
+