From ebf2385013212ba1139b219b78b54c5a97a81a61 Mon Sep 17 00:00:00 2001
From: CPol <carlospolop@gmail.com>
Date: Mon, 22 Mar 2021 09:20:53 +0000
Subject: [PATCH] GitBook: [master] one page modified

---
 reset-password.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/reset-password.md b/reset-password.md
index a0c8c10ed..a5b336d28 100644
--- a/reset-password.md
+++ b/reset-password.md
@@ -13,3 +13,5 @@ Example from [https://medium.com/@abhishake100/password-reset-poisoning-to-ato-a
 
 In other occasions you can manage to obtain the **same** **results** modifying the domain used in the **Referer header like in** [**here**](https://medium.com/bugbountywriteup/fun-with-header-and-forget-password-without-that-nasty-twist-cbf45e5cc8db)**.**
 
+Or even adding the header **X-Forwarded-Host** you can be able to steal the reset password token from other accounts \(like [here](https://infosecwriteups.com/password-reset-token-leak-via-x-forwarded-host-4ed3e33dca31)\).
+