Skip to content
alxk edited this page Jun 27, 2018 · 6 revisions

Introduction

Welcome to the dref wiki!

dref (DNS Rebinding Exploitation Framework) is intended to facilitate research into DNS rebinding attacks and their potential applications to security assessments.

If you're not familiar with DNS rebinding, have a quick read of the Wikipedia page and check out Robert Hansen's breakdown of the attack on YouTube.

If you want to deploy dref proceed to the Setup section.

If you need help, or want to discuss dref and DNS rebinding come chat on gitter

Use responsibly.

Limitations

There are several caveats to bypassing the Same-Origin policy with dref.

DNS rebinding:

  • does not work over HTTPS
  • does not work if services validate the Host header
  • requires browsers to stay up to several minutes on the website*

On top of this, various tricks used by dref (such as port scanning from a browser) are fidgety by nature. Your mileage may vary.

* this will improve soon

Clone this wiki locally