- Sign up - Login + Sign up + Login WebGoat Password Recovery diff --git a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc index 5e1582c148..40a94f6b62 100644 --- a/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc +++ b/webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc @@ -13,7 +13,8 @@ The time out is necessary to restrict the attack window, having a link opens up == Assignment Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with -that password. Note: it is not possible to use OWASP ZAP for this lesson. +that password. Note: it is not possible to use OWASP ZAP for this lesson, also browsers might not work, command line +tools like `curl` and the like will be more successful for this attack. Tom always resets his password immediately after receiving the email with the link.