In this section we will talk about
DNS Rebinding
What is DNS Rebinding
DNS Rebinding is an advanced technique that allow the attacker to bypass SSRF Filters and and Same-Origin Policy
Recap: Domain Name System (DNS)
The Domain Name System (DNS) is a hierarchical system that resolves domain names to **IP** **addresses** (such as resolving academy.hackthebox.com to 104.18.21.126 (IPv4) or 2606:4700::6812:157e (IPv6)); its structure resembles a tree. Parts of this tree managed by the same nameserver are called DNS zones:
What is happening while configuring the DNS
Another essential part of DNS is caching. Suppose we interact with the same service for an extended period; performing DNS requests before each service request would cause considerable overhead. For instance, when interacting with academy.hackthebox.com, students send numerous HTTP requests to it; without DNS caching, the domain name must be looked up with DNS before each HTTP request. Thus, DNS responses are cached for a specified time before a new DNS lookup is required. This amount of time is called time-to-live (TTL), and it determines how many seconds the resolved IP address is valid before the domain name must be resolved again with a DNS request.
Now let’s see How Server-Side Request Forgery works
Now let’s check the available source code and review it to identify the SSRF vulnerability
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'GET':
return render_template('index.html')
try:
screenshot = screenshot_url(request.form.get('url'))
except Exception as e:
return f'Error: {e}', 400
# b64 encode image
image = Image.open(screenshot)
buffered = BytesIO()
image.save(buffered, format="PNG")
img_data = base64.b64encode(buffered.getvalue())
return render_template('index.html', screenshot=img_data.decode('utf-8'))
@app.route('/debug')
def debug():
if request.remote_addr != '127.0.0.1':
return 'Unauthorized!', 401
return render_template('debug.html')