DNS Rebinding is a method of bypassing Same Origin Policy by manipulating DNS resolution
How a general cross-origin attack is blocked by browser ?
Here, the browser understands that the response page from attacker origin is requesting a page from other origin (i.e. from localhost)³. Since it is ‘non-simple request’ with ‘cross-origin’, the browser blocks the request by default.
In-order to access local server, we need to bypass SOP
Here comes DNS Rebinding to our rescue……
Attack scenario
At initial DNS resolution, the attacker.com resolves to 6.6.6.6². So, the browser sends a request to 6.6.6.6 and receives attacker response.The attacker response might contain a fetch request again to attacker.com.Here, since the page from attacker origin is requesting a resource from attacker origin hence, same origin⁵.
While configuring the DNS server, the attacker will set the TTL(Time-To-Live) to small value (eg: 2sec)².
So, the browser while executing fetch request to attacker.com, it again asks DNS server for attacker.com resolution⁵ which now resolves to 127.0.0.1⁶ (attacker will set two A records in DNS server config).
The browser then executes the next request in the attacker page which is a DELETE resource request to 127.0.0.1⁸. Since it is a request to local host which is same origin as 127.0.0.1, the browser executes it without blocking.
The resource gets deleted⁹ 🔥
How can I spin up a DNS server quickly ?
You can use the application http://lock.cmpxchg8b.com/rebinder.html (source code also available)
Any other attack scenario ?
- Confusing Server-side infrastructure
2. Evading Firewall and accessing devices on Intranet through Internet
Constraints to attacker / mitigations for developer
1. If authentication is required
2. If SSL certificate present
3. If server verifies Host header
4. If a custom protocol handler (eg: chrome:// ) is defined and used to access local applications
References:
- DEF CON 25 — Luke Young
- Web application for attack URI or DNS resolution by Tavis Ormandy
- Bug Bounty | $2000 for SSRF bypass using DNS rebinding by Leet Cipher
- Data-Rebinding attacks lecture by Feross
Further Research
Originally published at https://void92.github.io.