image
Inspired by @tavisio This project is meant to be an All-in-one Toolkit to test further DNS rebinding attacks and my take on understanding these kind of attacks. It consists of a web server and pseudo DNS server that only responds to A queries. The root index of the web server allowes to configure and run the attack with a rudimentary web gui. See dnsrebindtool.43z.one . A basic nginx config to host the web server server { listen 80; server_name dnsrebindtool.43z.one; location / { proxy_pass http://localhost:5000; } } The /attack route of the web server reads the GET parameter script that should provide basic64 encoded javascript and responds with the decoded code (wraped around a setTimeout) embeded in a regular HTML page. % curl "http://dnsrebindtool.43z.one/attack?script=YWxlcnQoMSk=" <html> <script> setTimeout(function(){ alert(1) }, 3000) </script> </html Within my registrar for the domain 43z.one I setup a NS record for the subdomain rebind to point to the IP where this tool is hosted. ns A 81.4.124.10 rebind NS ns.43z.one The DNS server responds only to A queries in this format evcmxfm4g . 81-4-124-10 . 127-0-0-1 .rebind.43z.one The first part (subdomain) is just some random id and should be generated for every attack session (the web gui does this on every reload). Second comes the IP the DNS server should respond for the next 2 seconds and third the IP the server should respond after that…