Testing for Vulnerable Services

Let's say you have a web application service listening on localhost:8080. How can you verify if this HTTP service is vulnerable to DNS rebinding?

The following requirements need to be satisfied to be able to exploit an HTTP service with a DNS rebinding attack:

• The service needs to ignore the Host HTTP header or accept arbitrary values
• The service needs to be available over plaintext HTTP (a redirect to HTTPS (TLS) will not work)
• The service needs either be available without authentication or the attacker has to know or guess the credentials (e.g. username and password)

Verifying if the vulnerable service accepts arbitrary Host headers can be verified with a simple curl command:

curl --header 'Host: <arbitrary-hostname>' http://<vulnerable-service>:8080

If the vulnerable service is listening on port 8080 of the loopback interface and we use the rebind.it domain as the attacker domain, then the following command can be employed to test for the vulnerability:

curl --header 'Host: rebind.it' 127.0.0.1:8080

If the server returns the expected result (e.g. the regular web page) then the service is vulnerable. If the server returns an error message (e.g. 404 or similar), the server has most likely protections implemented which prevent DNS rebinding attacks.

Note: The server may only return non-sensitive data when the Host header contains unexpected values. Make sure that the server actually returns the desired content (e.g. http://<vulnerable-service>:8080/showPassword) before trying to exploit it.