DNS Rebinding attack

3 min readFeb 8, 2023

DNS Rebinding is a method of bypassing Same Origin Policy by manipulating DNS resolution

How a general cross-origin attack is blocked by browser ?

Here, the browser understands that the response page from attacker origin is requesting a page from other origin (i.e. from localhost)³. Since it is ‘non-simple request’ with ‘cross-origin’, the browser blocks the request by default.

In-order to access local server, we need to bypass SOP

Here comes DNS Rebinding to our rescue……

Attack scenario

DNS rebinding attack bypassing Same Origin Policy

At initial DNS resolution, the attacker.com resolves to 6.6.6.6². So, the browser sends a request to 6.6.6.6 and receives attacker response.The attacker response might contain a fetch request again to attacker.com.Here, since the page from attacker origin is requesting a resource from attacker origin hence, same origin⁵.

While configuring the DNS server, the attacker will set the TTL(Time-To-Live) to small value (eg: 2sec)².

So, the browser while executing fetch request to attacker.com, it again asks DNS server for attacker.com resolution⁵ which now resolves to 127.0.0.1⁶ (attacker will set two A records in DNS server config).

The browser then executes the next request in the attacker page which is a DELETE resource request to 127.0.0.1⁸. Since it is a request to local host which is same origin as 127.0.0.1, the browser executes it without blocking.
The resource gets deleted⁹ 🔥