1.Go to password reset funtion.
2.Enter email and intercept the request.
3.Change host header to some other host i.e,
also try to add some headers without changing host like
4.Forward this if you find that in next request attacker.com means you managed to successfully steal the token. :)