Small update for password reset lesson

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc

@@ -13,7 +13,8 @@ The time out is necessary to restrict the attack window, having a link opens up
 == Assignment
 
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
-that password. Note: it is not possible to use OWASP ZAP for this lesson.
+that password. Note: it is not possible to use OWASP ZAP for this lesson, also browsers might not work, command line
+tools like `curl` and the like will be more successful for this attack.
 
 Tom always resets his password immediately after receiving the email with the link.