This file demonstrates a vulnerability in Chrome's remote debugging implementation that enables websites to seize control of Chrome. The exploit consists of two parts: 1. Discover port of remote debugging server. 2. DNS rebinding attack to find secret to connect to debugging server.

Instructions to run PoC

To demonstrate the attack, do the following: 1. Choose a port that you want to use for remote debugging, e.g. 1234. 2. Choose a IP address that resolves to the host that will act as an attacker, e.g. 127.0.0.2 3. Edit /etc/hosts and resolve the dummy domain to your IP: 127.0.0.2 attacker.example.com 4. Run server.js with Node.js to serve this file (index.html) at your chosen port (1234). 5. Start Chrome with the following flag: --remote-debugging-port=1234 6. Visit http://attacker.example.com:1234 - this is the entry point for a real attacker. (The port does not really matter here, but for convenience we reuse the port so the server only needs to listen on one port). 7. The PoC will discover the port at 1234 and proceed to the second part. Part 2: Simulate DNS rebinding 8. Edit /etc/hosts and add the following line: 127.0.0.1 attacker.example.com 9. Return to the browser page at step 4, and wait for about a minute.