Home / Bug Bounty / Server Side / DNS Rebinding

DNS Rebinding

Bypass security and access internal network resources.

An attacker hosts content under a domain name that resolves through a DNS server under their control. Initially, the domain points to an external IP. After the victim's browser accesses it, the attacker updates the DNS record to resolve to an internal IP address.

With DNS Rebinding attacks its crucial to know that zone owners controls mcz3n.com and all subdomains. It can configure the DNS settings, add or delete entries for subdomains and reconfigure IP addresses the domains resolves. The zone owner can also configure the domain to resolve to any IP address.

SSRF Basic Filter Bypasses

When a webapp lets you get a remote url but that url is not properly checked its possible to let the application send requests internally or into other protected networks.

Obfuscation of localhost

The SSRF filter is one that blocks domains like localhost or 127.0.0.1. A filter may look like this in python.

def check_domain(domain):
    if 'localhost' in domain:
        return False

    if domain == '127.0.0.1':
        return False

    return True

But there are many ways to bypass this:

  • 127.1
  • 127.000000000000000.1
  • 0.0.0.0
  • 0
  • 0x7f000001
  • 0:0:0:0:0:0:0:1
  • ::ffff:127.0.0.1

Bypass via DNS Resolution

Here a filter parses the IP address we provided and if its any of these ranges it will be blocked. 

        if ip in ipaddress.ip_network('127.0.0.0/8'):
            return False
        if ip in ipaddress.ip_network('10.0.0.0/8'):
            return False
        if ip in ipaddress.ip_network('172.16.0.0/12'):
            return False
        if ip in ipaddress.ip_network('192.168.0.0/16'):
            return False
        if ip in ipaddress.ip_network('0.0.0.0/8'):
            return False

But we can input any domain name and point it to an internal IP address. For example http://localtest.me/ which points to 127.0.0.1. 

nslookup localtest.me

Server:     1.1.1.1
Address:    1.1.1.1#53

Non-authoritative answer:
Name:   localtest.me
Address: 127.0.0.1
Name:   localtest.me
Address: ::1

Bypass via HTTP Redirect

By using a redirect to the internal IP its possible to bypass filters as well. Creating a simple php file with a redirect.

<?php header('Location: http://127.0.0.1/debug'); ?>

Then host the file on web server and send a valid url to read internal pages.