blind ssrf via dns rebinding

blind ssrf via dns rebinding is a technique where an attacker leverages a server’s backend URL-fetching functionality and uses DNS tricks to pivot into internal systems...

The “blind” part refers to the lack of direct response from the vulnerable server...

steps to reproduce

  1. Capture a request to: https://api.target.com/vendor/v3/external_registry
  2. Generate a payload using: rebinder tool
    Example: 7f000001.ac14000a.rbndr.us
  3. Insert the payload into the endpoint parameter
  4. Send the request via Burp Intruder
  5. Use 01–154 as payloads to hit 192.168.0.1192.168.0.153
  6. Monitor response timing — longer delays suggest internal resolution
Intruder Result Screenshot

response timings

Payload Screenshot

rebinding payloads

impact

This vulnerability allowed internal IP enumeration via DNS rebinding and blind SSRF behavior...

timeline