Using Payloads
Payload configuration is currently defined in the dref-config.yml file located in the project's root directory.
The default configuration file looks like this:
general:
domain: attacker.com
address: 1.2.3.4
targets:
- target: "demo"
script: "web-discover"The targets section of the configuration is a list of YAML "target" objects. These are the payloads that are configured to be delivered by dref.
The target key serves a couple of purposes internally, but it is mainly the subdomain that delivers the payload.
The script key is the payload script that will be delivered when a user visits the target subdomain. These are defined in dref/scripts/src/payloads/.
In plain English the configuration above says:
When a user visits
http://demo.attacker.com/deliver thepayloads/web-discover.jsscript.
At this point, the Docker environment has to be restarted to reflect changes made to the dref-config.yml file:
$ docker-compose down
$ docker-compose up -d| Key | Type | Description |
|---|---|---|
target |
String | Target subdomain that will deliver the initial payload. Must be a valid subdomain string. |
script |
String | Payload delivered by the target subdomain. Must be a JavaScript file located in dref/scripts/src/payloads/. |
hang |
Boolean | Whether or not dref should cause the browser to "hang" by making it request a file that will not be delivered in full. This can be useful to trick an automated driver like Selenium into believing the page has not fully loaded, ensuring payloads will have time to run. |
fastRebind |
Boolean | Whether or not dref should use the "dual A record" method for DNS rebinding, allowing for near-instant DNS rebinding attacks. This attack is inconsistent between browsers/OSs and, at the moment, works half of the time on affected browsers/OSs (improving this is on the agenda). |
args |
Object | Valid YAML sub-object containing arguments to be passed to the script. These arguments will be accessible to the script payload as globals under window.args. Must be a valid YAML object. |
By default dref allows you to rebind on the standard web ports 80, 8000, 8080 and 8888. This is controlled by the docker-compose port mapping for the api container in docker-compose.yml.
To support DNS rebinding on an additional port, simply add a mapping from that port on the host to port 80 in the api container by editing docker-compose.yml. For example to support DNS rebinding on port 4000, the configuration would look like:
api:
image: node:9.11.1-alpine
networks:
- dref
ports:
- 0.0.0.0:4000:80