~/anand/writeups $ cat blind-ssrf-via-dns-rebinding.md
blind ssrf via dns rebinding
============================
april 2022 · ssrf · dns rebinding
blind ssrf via dns rebinding is a technique where an attacker leverages a server's backend url-fetching functionality and uses dns tricks to pivot into internal systems.
the "blind" part refers to the lack of direct response from the vulnerable server — internal enumeration has to be inferred through side channels like response timing.
steps to reproduce
------------------
- capture a request to:
https://api.target.com/vendor/v3/external_registry - generate a payload using the rebinder tool — example:
7f000001.ac14000a.rbndr.us - insert the payload into the
endpointparameter - send the request via burp intruder
- use
01–154as payloads to hit192.168.0.1→192.168.0.153 - monitor response timing — longer delays suggest internal resolution
impact
------
this vulnerability allowed internal ip enumeration via dns rebinding and blind ssrf behavior — surfacing hosts on the internal network without direct response leakage.
timeline
--------
- march 28, 2022 — initial report submitted
- march 30, 2022 — response: 192.168.0.0/24 not in use
- march 31, 2022 — tested class a ips; anomalies confirmed
- april 1, 2022 — report accepted and bounty awarded