Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Welcome to the dref wiki!
dref (DNS Rebinding Exploitation Framework) is intended to facilitate research into DNS rebinding attacks and their potential applications to security assessments.
If you're not familiar with DNS rebinding, have a quick read of the Wikipedia page and check out Robert Hansen's breakdown of the attack on YouTube.
If you want to deploy dref proceed to the Setup section.
There are several caveats to bypassing the Same-Origin Policy with dref.
DNS rebinding does not work:
- over HTTPS
- if services validate the Host header
The stable attack requires browsers to stay more than a minute on the website. The Fast Rebind mode triggers instantly on some browser/OS combinations, but is not guaranteed to work.
On top of this, various tricks used by dref (such as port scanning from a browser) are fidgety by nature. Your mileage may vary.