DNS rebinding attacks explained: The lookup is coming from inside the house!

My colleague Kevin Stubbs mentioned the topic of DNS rebinding attacks in a previous blog post. No worries if you haven't read it yet though–in this article, we'll walk you through the concept of DNS rebinding from scratch, demystify how it works, and explore why it's a serious browser-based security issue. We'll start by revisiting the same-origin policy, a fundamental part of web security, and show how DNS rebinding bypasses it. You'll see real-world scenarios where attackers can use this technique to access internal applications running on your local machine or network, even if those apps aren't meant to be publicly available. We'll dive into a real vulnerability in the Deluge BitTorrent client, explaining exactly how DNS rebinding could have been used to read arbitrary files from a local system. Finally, we'll go over practical steps you can take to protect yourself or your application from this often-overlooked but potent attack vector. Same-origin policy Same-origin policy (SOP) is a cornerstone of browser security introduced in 1995 by Netscape. The idea behind it is simple: Scripts from webpages of one origin should not be able to access data from a webpage of another origin. For example, nobody wants arbitrary webpages to be able to read their currently logged-in webmail. So that websites can be distinguishable from the next, they're each defined with a combination of protocol (schema), host (DNS name), and a port number. Any mismatch in these three parts makes…Read More