VERSION
Chrome Version: all
Operating System: all
REPRODUCTION CASE

dns rebind can bypass sop to send requests and get response from some website which visist use IP

for example ,i start a webserver at my pc
php -S 127.0.0.1:80

and then touch a file 
echo 'here is 127.0.0.1' into index.html

then write a poc file such as


<script src="https://cdn.bootcss.com/jquery/3.2.1/jquery.js"></script>
<script>
function bypass(){
	$.get('/index.html',function(data){alert(data);});
}
setTimeout("bypass();",65000);
</script>


and deploy the file on my vps
http://45.78.17.254/rebind.html

after that 
i can use dns rebind to bypass sop 

rebind.py will attach to the report

first dns was 45.78.17.254 and it's ttl=0
and later query will return 127.0.0.1
(dns rebind)

chrome's dns cache maybe 60s?
so i can settimeout to load source from other domain


i attach the file rebind.py 

you may search to know how to use it 
i'm so weak in english ....

some articles:
http://www.bendawang.site/article/%E5%85%B3%E4%BA%8EDNS-rebinding%E7%9A%84%E6%80%BB%E7%BB%93
https://ricterz.me/posts/Use%20DNS%20Rebinding%20to%20Bypass%20IP%20Restriction
https://en.wikipedia.org/wiki/DNS_rebinding

 

Deleted: rebind.py 1.1 KB

rebind.py 1.1 KB View Download