HTTP Host Header Attacks Lab Breakdown: Basic password reset poisoning

▹ Watch me Live on Twitch every Monday and Thursday! - https://twitch.tv/garr_7 Portswigger Web Security Academy HTTP Host Header Attacks Lab: Basic password reset poisoning - https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning/lab-host-header-basic-password-reset-poisoning Additional References for Further Exploration: PortSwigger's Host Header Attacks Resource - https://portswigger.net/web-security/host-header ------------------------------------------------------------------------------ In this series, we take a look at Web Security Academy's Host Header Attacks labs and break them down. The goal is to break down the concepts to not only get to the solution, but talk about methodology and the mental steps we take in order to discover these vulnerabilities in the wild. Timestamps: 0:00​ Intro 0:14 Quick Host Header Breakdown 0:45 What is the Host Header Used For? 1:36 What is Host Header Injection? 2:35 Lab Start: Walking Through Password Reset Workflow 3:56 What Does Changing the Host Header Do? 4:37 Poisoning the Password Reset Link and Targeting Carlos With Our Payload 5:54 Recap 6:41 Outro ------------------------------------------------------------------------------ Graphics Used in Video: Virtual Host Routing: https://www.ssl.com/article/sni-virtual-hosting-for-https/ Load Balancers: https://www.nginx.com/resources/glossary/load-balancing/ ------------------------------------------------------------------------------ Music: “Friends” Produced by Hyper Potions https://youtu.be/OEboG4LnUBI “Morning Tea” Produced by Jeff Kaale https://youtu.be/euQG29OK3-M “High Noon” Produced by Bankrupt Beats https://youtu.be/d8v2tuTtSc0 “Ikebaby” Produced by Robotprins https://youtu.be/APAekwchpkE