Full Report
DNS rebinding attack without CORS against local network web applications. Explore the topic further and see how it can be used to exploit vulnerabilities in the real-world. The post DNS rebinding attacks explained: The lookup is coming from inside the house! appeared first on The GitHub Blog.
Analysis Summary
# Tool/Technique: DNS Rebinding Attack
## Overview
DNS rebinding is a browser-based security technique used to bypass the Same-Origin Policy (SOP) by exploiting the mechanism by which web browsers resolve domain names to IP addresses. The attacker sets up a domain that initially resolves to a public IP address, allowing the victim to load a malicious script from it. Subsequently, the attacker's DNS server rapidly changes the resolution of that same domain to a private, local IP address (e.g., 127.0.0.1 or 192.168.0.1). Because the browser does not re-validate the origin after the IP address change, scripts loaded from the domain continue to execute, but now they target the victim's internal network resources or local services, treating them as being the same origin as the initial malicious site.
## Technical Details
- Type: Technique
- Platform: Web Browsers (Client-side exploitation), Local/Internal Network Applications (Target)
- Capabilities: Bypassing Same-Origin Policy (SOP) to interact with local or internal web applications, including those running on `localhost`.
- First Seen: Concept established with SOP in 1995; DNS rebinding leveraging its persistence was known prior to the article's date (June 2025).
## MITRE ATT&CK Mapping
The primary goal of this technique is unauthorized access to internal resources accessible via HTTP/S.
- **TA0001 - Initial Access**
- **T1568 - Dynamic Resolution**
- T1568.002 - Domain Generation Algorithms (While DGA is complex, the core abuse here is dynamic/time-sensitive resolution control.)
- **TA0003 - Persistence** (If integrated into a persistent script/exploit)
- **TA0009 - Collection** (If used to gather internal data)
- **TA0010 - Exfiltration** (If collected data is sent out)
- **TA0011 - Command and Control** (If used to interact with an internal C2 structure)
*Note: The most direct categorization relates to abusing DNS resolution to initiate unauthorized connections.*
## Functionality
### Core Capabilities
- **SOP Bypass:** Exploiting the browser's assumption that if the hostname remains the same, the origin remains the same, even if the resolved IP address changes from public to private.
- **Local/Internal Host Interaction:** Enabling JavaScript loaded from an external domain to make requests to local services (e.g., routers, development servers, IoT devices) running on private IP ranges (like 192.168.x.x or 127.0.0.1).
- **Initial Access to Unauthenticated Services:** Targeting web applications running locally that do not enforce strong authentication or use HTTPS.
### Advanced Features
- **Exploiting Real-World Vulnerabilities:** The technique can be chained with specific application vulnerabilities (e.g., insecure file reading in the Deluge BitTorrent client) to achieve concrete objectives beyond simple port scanning or information disclosure.
- **Circumvention of Network Segmentation:** Effectively treating the victim's browser as a proxy into their internal/local network segment.
## Indicators of Compromise
Since DNS binding is a network configuration/protocol abuse technique rather than traditional malware execution, traditional file-based IOCs are not present for the technique itself.
- File Hashes: N/A (Pure client-side exploit technique)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Initial DNS responses from an attacker-controlled authoritative DNS server resolving a target domain to a **public IP address**.
- Rapid subsequent DNS responses for the **same domain resolving to private/local IP addresses** (e.g., 127.0.0.1/32, 192.168.0.1/32, 10.0.0.1/32).
- Malicious HTTP requests originating from the victim's browser to internal IP addresses, seemingly initiated by a domain name (e.g., a request to `http://192.168.1.50/admin` appearing as if it originated from `somesite.com` in the context of the browser session).
- Behavioral Indicators:
- JavaScript attempting to initiate network requests via the `XMLHttpRequest` or `fetch` API against `localhost` or private IP addresses after loading resources from a known external domain.
- Sudden network traffic spikes directed towards internal network subnets originating from the context of a specific web application session.
## Associated Threat Actors
This is a general attack technique often leveraged by penetration testers or sophisticated threat actors against vulnerable internal services. No specific malware family or actor is inherently tied to the technique itself, but it is a common exploit method used in various web application compromise scenarios.
## Detection Methods
- Signature-based detection: Difficult, as the attack loads legitimate-looking JavaScript initially.
- Behavioral detection:
- Monitoring outbound network requests from browser processes where the destination IP address is in the private address space (RFC 1918) while being associated with an active connection established from a public domain.
- Monitoring for unusual redirection or internal resource access patterns initiated by client-side scripts.
- YARA rules: N/A
## Mitigation Strategies
- **Require HTTPS/TLS:** Using HTTPS prevents many forms of snooping, although it does not inherently stop the rebinding request itself.
- **Strong Authentication:** Enforce strong, password-based authentication, even for internal services, as cookies associated with the external site will not be available to the attacker unless specifically configured to allow it (which is part of the bypass).
- **Host Header Validation:** The most crucial defense mentioned: **Strictly validate the `Host` header of incoming requests on the local/internal web application.** The rebinding attack will send the original external hostname (e.g., `somesite.com`) in the `Host` header, which should mismatch the expected service definition if the service is only intended to be accessed via its IP or a specific internal hostname.
- **Use Unique Hostnames for Internal Services:** Avoid using the same hostname for both public-facing and internal/local services.
- **Network Segmentation and Firewalls:** Ensure that internal services are not needlessly exposed to the main network segment where general browsing occurs.
## Related Tools/Techniques
- Cross-Site Request Forgery (CSRF) (DNS rebinding is often used to facilitate CSRF against internal endpoints.)
- Port Scanning (The technique can be used to enumerate services running on the local network by iterating through common port numbers.)
- Web Application Firewalls (WAFs) or Proxies configured for strict Host header checks.