Attacking Password Resets with Host Header Injection

00:00 - Introduction talking a little bit about
00:55 - Using Extension to show a legitimate password reset
01:50 - Modifying the host header and showing the website uses that in the sent email
02:40 - Talking about mail filters auto-clicking links, which means user interaction isn't always required
03:30 - Sending a password reset to one of my personal emails, to show a mail filter auto clicks the link
04:40 - Got our click! Checking the IP Address to …

address auto bot clicking clicks email emails extension filter header host injection introduction ip address isn link links mail password password reset personal reset talking vulnerability website