/Code Review/DNS Rebinding SSRF

DNS Rebinding SSRF

Advanced SSRF attack using DNS rebinding to bypass IP-based blocklists.

CRITICALHard

Vulnerable Codejavascript

1const dns = require('dns');
2const fetch = require('node-fetch');
3
4async function fetchUrl(url) {
5    const parsedUrl = new URL(url);
6    
7    // Check if IP is internal (blocklist approach)
8    const addresses = await dns.promises.resolve4(parsedUrl.hostname);
9    const isInternal = addresses.some(ip => 
10        ip.startsWith('10.') || ip.startsWith('192.168.') || ip === '127.0.0.1'
11    );
12    
13    if (isInternal) {
14        throw new Error('Internal IPs not allowed');
15    }
16    
17    // Fetch the URL (DNS may resolve differently now!)
18    const response = await fetch(url);
19    return response.text();
20}

Understanding the Issue

DNS rebinding exploits the time gap between DNS validation and actual request. Attacker controls a domain with low TTL, first returning a safe IP to pass validation, then switching to an internal IP for the actual request.

DNS Rebinding to Access Metadata

Attacker uses DNS rebinding to bypass IP validation

Malicious Input

1. Attacker sets up evil.com with TTL=1
2. First lookup: evil.com → 1.2.3.4 (passes check)
3. Wait for TTL to expire
4. Second lookup: evil.com → 169.254.169.254

Impact

Server fetches from AWS metadata endpoint, leaking credentials

Technical Details

Vulnerability Type: Server-Side Request Forgery (DNS Rebinding)
Severity: CRITICAL
Language: Javascript
CWE: CWE-918
OWASP: A10:2021 - SSRF

DNS Rebinding SSRF

Understanding the Issue

How Attackers Exploit This

DNS Rebinding to Access Metadata

Finding the Vulnerability(3 hints)

Technical Details

DNS Rebinding SSRF

Understanding the Issue

How Attackers Exploit This

DNS Rebinding to Access Metadata

Finding the Vulnerability(3 hints)

Technical Details