Unveiling the Stealth of DNS Rebinding - Bypassing SSRF Protection
Introduction:
In the realm of web application security, Server-Side Request Forgery (SSRF) poses a significant threat. To counter this vulnerability, developers often implement safeguards to restrict requests to private IP addresses. However, cunning attackers have discovered an ingenious technique called DNS rebinding to bypass these protection mechanisms. In this blog, we will delve into the intricacies of DNS rebinding and explore a real-life example of how it can be used to circumvent SSRF protection in a generic web server application.
Understanding DNS Rebinding:
DNS rebinding is a technique that manipulates the Domain Name System (DNS) resolution process to deceive a web server into making unintended requests to malicious domains. By exploiting the inherent design of DNS, attackers can mislead the server into treating external IP addresses as internal ones, thus bypassing security measures.
The Web Server’s Protection:
Let’s consider a generic web server application hosted on AWS and the domain example.com. This server is equipped with an SSRF protection mechanism that restricts requests to private IP addresses, aiming to prevent unauthorized access to internal resources. The protection mechanism includes the following code snippet:
import ipaddress
from urllib.parse import urlparse
import requests
def valid_ip(ip):
try:
result = ipaddress.ip_address(ip)
return result==True
except:
return False
def get(url, recursive_count=0):
r = requests.get(url)
return r.text
app = Flask(__name__)
@app.route('/fetch-image', methods=['GET'])
def fetch_image():
url = request.form.get('url')
# DNS rebinding bypass
if not valid_ip(urlparse(url).netloc):
return "Access denied!"
response = get(url)
return response
DNS Rebinding Bypass:
Now, let’s explore how an attacker can bypass the SSRF protection implemented in our generic web server application using DNS rebinding.
To accomplish this, the attacker strategically manipulates the DNS entries associated with their controlled domains. By adding the following two A records to the DNS entry:
Type Hostname Value
A dr3dd.xyz 169.254.169.254
A dr3dd.xyz 53.45.124.31
The attacker configures the domain dr3dd.xyz to resolve to both the loopback address (169.254.169.254) and an external server under their control (53.45.124.31).
Exploiting the Web Server:
With the DNS entries in place, the attacker proceeds to deceive the web server into making internal requests to their controlled domains. They provide a crafted URL to the server, such as http://example.com/fetch-image?url=http://dr3dd.xyz/latest/meta-data/iam/security-credentials/testcreds.
As the server processes the request, it performs ip blacklist check via resolving the DNS in valid_ip function. In this case if attacker domain resolves ip to 53.45.124.31 then it will allow it. But next when server invoke get function at this time the attacker domain manipulate the resolution ip to 169.254.169.254 and make internal request.
The SSRF protection mechanism fails to detect the manipulation, as the attacker’s controlled domain appears to be a legitimate IP address within the private range. Consequently, the web server unknowingly makes internal requests to the attacker’s malicious domains, granting unauthorized access to sensitive data.
Bypass Success: Obtaining the Flag:
Through persistent attempts, the attacker successfully bypasses the SSRF protection mechanism using DNS rebinding. As a result, they gain access to internal resources and achieve their objective. In this case, the attacker obtains a flag, highlighting the severity of the bypass.
Mitigating DNS Rebinding Attacks:
To safeguard web applications against DNS rebinding attacks and reinforce SSRF protection, developers can implement the following countermeasures:
Whitelist Valid Hostnames: Maintain a whitelist of trusted hostnames or IP addresses that the server is allowed to access. Ensure that requests are only made to these approved entities.
Validate DNS Resolution: Perform thorough validation of DNS resolutions before making requests. Verify that the resolved IP addresses belong to the expected range of private or trusted addresses.
Implement Time-to-Live (TTL) Checks: Set a reasonable TTL for DNS resolutions and perform regular checks. This helps detect and prevent malicious DNS changes in a timely manner.
Origin Validation: Verify that the hostname or IP address of the requested resource matches the expected origin or target. This prevents requests to unintended destinations.
Rate Limiting and Monitoring: Implement rate limiting mechanisms to detect and block suspicious or excessive requests originating from a single source. Regularly monitor and analyze server logs for any signs of DNS rebinding attacks.
By incorporating these defensive measures into the web server’s codebase, developers can effectively mitigate the risks associated with DNS rebinding attacks and enhance the security of their applications.
Conclusion:
The DNS rebinding technique presents a formidable challenge when it comes to protecting web servers from SSRF attacks
Let me know what you think of this article on twitter @0xdr3dd or leave a comment below!