Blind SSRF via DNS Rebinding

Blind SSRF via DNS rebinding is a technique where an attacker leverages a server’s backend URL-fetching functionality and uses DNS tricks to pivot into internal systems. The DNS rebinding part works by resolving an attacker-controlled domain (e.g., payload.rbndr.us) to a public IP on the first lookup, and then switching to an internal IP (e.g., 127.0.0.1 or 192.168.x.x) once the DNS cache expires. This bypasses network-layer protections like IP whitelisting or NAT boundaries.

The "blind" part refers to the lack of direct response from the vulnerable server. The attacker infers internal access by monitoring side channels — such as response timing, status codes, or connection failures.

In this case, while testing the endpoint https://api.target.com/vendor/v3/external_registry, I supplied a rebinding payload in the endpoint parameter and used timing analysis to enumerate internal IPs. The results indicated the server made backend requests and likely resolved internal addresses.

Steps to Reproduce

1. Capture a request to: https://api.target.com/vendor/v3/external_registry
2. Generate a payload using: https://lock.cmpxchg8b.com/rebinder.html
   Example: 7f000001.ac14000a.rbndr.us
3. Insert the payload into the endpoint parameter of the POST body.
4. Send the request to Burp Intruder. Use the “Positions” tab to select two characters from the rebinding subdomain.
5. Under “Payloads”, use numbers 01–154, representing 192.168.0.1 through 192.168.0.153.
6. Launch the attack and monitor the “Response Completed” time. Increased latency suggests the server resolved or connected to internal targets.

response timings

rebinding payloads

Impact

This vulnerability allowed internal IP enumeration via DNS rebinding and blind SSRF behavior. Although no response data was leaked, the ability to interact with internal infrastructure is a stepping stone to more serious attacks — especially when combined with metadata service access or open ports on internal services.

Timeline

• March 28, 2022 – Initial report submitted
• March 30, 2022 – First response from program; 192.168.0.0/24 not in use
• March 31, 2022 – Retested using Class A IPs; consistent timing anomalies observed
• April 1, 2022 – Report accepted and bounty awarded