Week 47 - DNS Re-binding
Last updated
Last updated
Today’s web hacking tip involves a unique way of bypassing #SSRF protections: DNS re-binding. DNS re-binding involves alternating between 2 different IP addresses associated with a specific domain. This can be accomplished using a short TTL: time to live before re-checking what IP the domain maps to. After a couple of seconds, the domain will be associated with the other IP. It will keep switching between the two. This works because the application may have a firewall that will not allow a domain pointing to localhost, so it will be blocked. The idea with this attack is to have the domain change what IP it resolves to. So upon the request going through the firewall, the domain will resolve to a random (allowed) IP address, but upon the web server getting the domain and issuing a request to it, it will resolve to localhost (and we will have SSRF). Optionally, you can point the domain to an IP address you own and include some JavaScript on the index page to initiate a request to an internal application/system. Both are good options for bypassing SSRF protections. A great tool to use that will automatically provide you with a domain that alternates between two IP’s you specify is: https://lock.cmpxchg8b.com/rebinder.html Just plug your target IP (like localhost) in with an allowed public one, and then send a couple of requests through Burp Repeater! Defenses: -Map domains to a specific IP -Disallow JavaScript from running -Disallow short TTL’s (time to live) on domains