An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.

How does a DNS Rebinding attack work?

It typically unfolds over 5 phases. It begins with: [Identify potential DNS rebinding targets] An adversary publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version.

How do you prevent CAPEC-275?

Design: IP Pinning causes browsers to record the IP address to which a given name resolves and continue using this address regardless of the TTL set in the DNS response. Unfortunately, this is incompatible with the design of some legitimate sites.

What weaknesses does CAPEC-275 target?

CAPEC-275 exploits 1 CWE weakness, including CWE-350 (Reliance on Reverse DNS Resolution for a Security-Critical Action).

How severe is CAPEC-275?

MITRE rates CAPEC-275 as Very High severity with high likelihood of attack.

CAPEC-275: DNS Rebinding

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify potential DNS rebinding targets] An adversary publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version.
- Adversary uses Web advertisements to attract the victim to access adversary's DNS. Explore the versions of web browser or flash players in HTTP request.
Step 2
Experiment
[Establish initial target access to adversary DNS] The first time the target accesses the adversary's content, the adversary's name must be resolved to an IP address. The adversary's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value.
Step 3
Experiment
[Rebind DNS resolution to target address] The target makes a subsequent request to the adversary's content and the adversary's DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source.
Step 4
Experiment
[Determine exploitability of DNS rebinding access to target address] The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the named internal addresses.
Step 5
Exploit
[Access & exfiltrate data within the victim's security zone] The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the internal addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise.
- Adversary attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone.
- Adversary tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.

How the attack works

The phases an attacker typically follows to carry out this attack.

Step 1
Explore
[Identify potential DNS rebinding targets] An adversary publishes content on their own server with their own name and DNS server. Attract HTTP traffic and explore rebinding vulnerabilities in browsers, flash players of old version.
- Adversary uses Web advertisements to attract the victim to access adversary's DNS. Explore the versions of web browser or flash players in HTTP request.
Step 2
Experiment
[Establish initial target access to adversary DNS] The first time the target accesses the adversary's content, the adversary's name must be resolved to an IP address. The adversary's DNS server performs this resolution, providing a short Time-To-Live (TTL) in order to prevent the target from caching the value.
Step 3
Experiment
[Rebind DNS resolution to target address] The target makes a subsequent request to the adversary's content and the adversary's DNS server must again be queried, but this time the DNS server returns an address internal to the target's organization that would not be accessible from an outside source.
Step 4
Experiment
[Determine exploitability of DNS rebinding access to target address] The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the named internal addresses.
Step 5
Exploit
[Access & exfiltrate data within the victim's security zone] The adversary can then use scripts in the content the target retrieved from the adversary in the original message to exfiltrate data from the internal addresses. This allows adversaries to discover sensitive information about the internal network of an enterprise.
- Adversary attempts to use victim's browser as an HTTP proxy to other resources inside the target's security zone. This allows two IP addresses placed in the same security zone.
- Adversary tries to scan and access all internal hosts in victim's local network by sending multiple short-lived IP addresses.

How the attack works

CAPEC-275: DNS Rebinding

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Frequently asked questions

What is CAPEC-275?

How does a DNS Rebinding attack work?

How do you prevent CAPEC-275?

What weaknesses does CAPEC-275 target?

How severe is CAPEC-275?

References

Defend against CAPEC-275

How the attack works

Overview

How the attack works

What the attacker needs

Prerequisites

Skills required

Resources required

Consequences

How to mitigate it

Examples

Related weaknesses

Related attack patterns

Parent

Frequently asked questions

What is CAPEC-275?

How does a DNS Rebinding attack work?

How do you prevent CAPEC-275?

What weaknesses does CAPEC-275 target?

How severe is CAPEC-275?

References

Defend against CAPEC-275