We write about Ruby on Rails, React.js, React Native, remote work, open source, engineering and design.
In a DNS Rebinding attack, a malicious webpage runs client-side script when it is loaded, to attack endpoints within a given network.
DNS Rebinding can be summarized as follows.
rebinding.networkwhich is resolved by a DNS server controlled by a malicious entity.
http://rebinding.network. This DNS server also sets a very short TTL value ( say 1 second ) on the response so that the client won't cache this response for long.
http://rebinding.network/setup/rebootwith a JSON payload
184.108.40.206(real IP address), with the DNS info from the cache, but then the browser sends out a DNS query for
rebinding.networkwhen it observes that the cache has gone stale.
220.127.116.11(which is the real IP address of
rebinding.network), it responds with
192.168.1.90, an address at which, a poorly secured smart device runs.
Using this exploit, an attacker is able to factory-reset a device which relied on security provided by local network.
This attack is explained in much more detail in this blog post.
Rails’s web console was particularly vulnerable to a Remote Code Execution (RCE) via a DNS Rebinding.
In this blog post, Ben Murphy goes into technical details of exploiting this vulnerability to open Calculator app (only works in OS X).
Rails mitigates DNS Rebinding attack by maintaining a whitelist of domains from which it can receive requests. This is achieved with a new HostAuthorization middleware. This middleware leverages the fact that HOST request header is a forbidden header.
1# taken from Rails documentation 2 3# Allow requests from subdomains like `www.product.com` and 4# `beta1.product.com`. 5Rails.application.config.hosts << ".*\.product\.com/"
In the above example, Rails would render a blocked host template, if it receives requests from domains outside of above whitelist.
In development environment,
default whitelist includes
0.0.0.0/0, ::0 (CIDR notations for IPv4 and IPv6 default routes)
For all other environments,
config.hosts is empty
host header checks are not done.