-
Notifications
You must be signed in to change notification settings - Fork 71
Home
Welcome to the dref wiki!
dref (DNS Rebinding Exploitation Framework) is intended to facilitate research into DNS rebinding attacks and their potential applications to security assessments.
If you're not familiar with DNS rebinding, have a quick read of the Wikipedia page and check out Robert Hansen's breakdown of the attack on YouTube.
If you want to deploy dref proceed to the Setup section.
If you need help, or want to discuss dref and DNS rebinding come
Use responsibly.
There are several caveats to bypassing the Same-Origin Policy with dref.
DNS rebinding does not work:
- over HTTPS
- if services validate the Host header
The stable attack requires browsers to stay more than a minute on the website. The Fast Rebind mode triggers instantly on some browser/OS combinations, but is not guaranteed to work.
On top of this, various tricks used by dref (such as port scanning from a browser) are fidgety by nature. Your mileage may vary.