Practical Attacks with DNS Rebinding
One of the tools I expect to see gain in popularity in the wild is DNS rebinding. DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks. Attackers can change the IP associated with a domain name after it has been used to load JavaScript. Since same-origin policy (SOP) is domain-based, the JavaScript will have access to the new IP.
This blog post outlines some of what I’ve learned while preparing a DNS rebinding lab exercise for Black Hat and SecTor.
There are two general challenges we must overcome to attack network devices:
Attackers do not know private network address ranges ahead of time.
Cross-domain access is restricted by the same-origin policy.