In a DNS Rebinding attack, a malicious webpage runs client-side script when it is loaded, to attack endpoints within a given network.
What is DNS Rebinding attack?
DNS Rebinding can be summarized as follows.
- An unsuspecting victim is tricked into loading
rebinding.networkwhich is resolved by a DNS server controlled by a malicious entity.
- Victims web browser sends a DNS query
gets the real IP address,
http://rebinding.network. This DNS server also sets a very short TTL value ( say 1 second ) on the response so that the client won’t cache this response for long.
- The script on this webpage
cannot attack services running in local network
due to CORS restrictions imposed by
victims web browser.
it starts sending a suspicious POST request
http://rebinding.network/setup/rebootwith a JSON payload
- First few requests are indeed sent to
220.127.116.11(real IP address), with the DNS info from the cache, but then the browser sends out a DNS query for
rebinding.networkwhen it observes that the cache has gone stale.
- When the malicious DNS server
gets the request for a second time,
instead of responding with
18.104.22.168(which is the real IP address of
rebinding.network), it responds with
192.168.1.90, an address at which, a poorly secured smart device runs.
Using this exploit, an attacker is able to factory-reset a device which relied on security provided by local network.
This attack is explained in much more detail in this blog post.
How does it affect Rails?
Rails’s web console was particularly vulnerable to a Remote Code Execution (RCE) via a DNS Rebinding.
In this blog post, Ben Murphy goes into technical details of exploiting this vulnerability to open Calculator app (only works in OS X).
How does Rails 6 mitigate DNS Rebinding?
Rails mitigates DNS Rebinding attack by maintaining a whitelist of domains from which it can receive requests. This is achieved with a new HostAuthorization middleware. This middleware leverages the fact that HOST request header is a forbidden header.
In the above example, Rails would render a blocked host template, if it receives requests from domains outside of above whitelist.
In development environment,
default whitelist includes
::0 (CIDR notations for IPv4 and IPv6 default routes)
For all other environments,
config.hosts is empty
host header checks are not done.