Added more hints to password reset 5 lesson. Recommended Burp as a proxy

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_host_header.adoc

@@ -12,7 +12,7 @@ The time out is necessary to restrict the attack window, having a link opens up
 
 == Assignment
 
-Tom always resets his password immediately after receiving the email with the link.
 Try to reset the password of Tom (tom@webgoat-cloud.org) to your own choice and login as Tom with
 that password. Note: it is not possible to use OWASP ZAP for this lesson.
 
+Tom always resets his password immediately after receiving the email with the link.