Infrastructure Lab
Host Header Injection
Lab Progress0%
Level 1: Password Reset Poisoning
Host Header Injection occurs when an application trusts the Host header to generate absolute URLs for emails or redirects.
Objective
Poison the password reset link by injecting a malicious Host header.
Educational Purpose Only — Practice only on systems you own or have explicit written permission to test.
Target SystemPassword Reset Service (POST /api/password-reset)
POST /api/password-reset HTTP/1.1
Host:
Content-Type: application/json
Content-Length: 32
{ "email": "victim@example.com" }