Cross-Domain Referrer Leakage (Bug Bounty)

I was checking a reporter's report and saw the bugs, I thought its a informative but then tried following the steps.

What is Cross Domain Referrer Leakage?

I am here to discuss how to reproduce it, not to discuss what this vulnerability is, so to understand that you can read this:

https://portswigger.net/kb/issues/00500400_cross-domain-referer-leakage

Steps to Reproduce:

1. Go to the Password Reset area and send forget password link to your email address.
2. Copy the password reset link and paste it into the browser to which Burp-suite is configured.
3. Now turn on the intercept and capture the request.
4. The first checks for the referrer header and then checks for the password reset link in that header. If you find a link in the referrer header then check the host.
5. If there is a complete password reset link including a token, and the host is a third-party website, it is vulnerable.

I checked the report and somewhat looked legit so I finally rewarded him with 300 USD 🙂. Not all triager are bad :)