1.Go to password reset funtion.
2.Enter email and intercept the request.
3.Change host header to some other host i.e,
also try to add some headers without changing host like
X-Forwarded-Host: evil.com
Referrer: https://evil.com
4.Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :)