Using Payloads

alxk edited this page Sep 1, 2018 · 11 revisions

The configuration file

Payload configuration is currently defined in the dref-config.yml file located in the project's root directory.

The default configuration file looks like this:

general:
  domain: attacker.com
  address: 1.2.3.4

targets:
  - target: "demo"
    script: "web-discover"

The targets section of the configuration is a list of YAML "target" objects. These are the payloads that are configured to be delivered by dref.

The target key serves a couple of purposes internally, but it is mainly the subdomain that delivers the payload.

The script key is the payload script that will be delivered when a user visits the target subdomain. These are defined in dref/scripts/src/payloads/.

In plain English the configuration above says:

When a user visits http://demo.attacker.com/ deliver the payloads/web-discover.js script.

Changing the configuration file

At this point, the Docker environment has to be restarted to reflect changes made to the dref-config.yml file:

$ docker-compose down
$ docker-compose up -d

Payload configuration keys

Key Type Description
target String Target subdomain that will deliver the initial payload. Must be a valid subdomain string.
script String Payload delivered by the target subdomain. Must be a JavaScript file located in dref/scripts/src/payloads/.
hang Boolean Whether or not dref should cause the browser to "hang" by making it request a file that will not be delivered in full. This can be useful to trick an automated driver like Selenium into believing the page has not fully loaded, ensuring payloads will have time to run.
fastRebind Boolean Whether or not dref should use the "dual A record" method for DNS rebinding, allowing for near-instant DNS rebinding attacks. This attack is inconsistent between browsers/OSs and, at the moment, works half of the time on affected browsers/OSs (improving this is on the agenda).
args Object Valid YAML sub-object containing arguments to be passed to the script. These arguments will be accessible to the script payload as globals under window.args. Must be a valid YAML object.

Rebinding on other ports

By default dref allows you to rebind on the standard web ports 80, 8000, 8080 and 8888. This is controlled by the docker-compose port mapping for the api container in docker-compose.yml.

To support DNS rebinding on an additional port, simply add a mapping from that port on the host to port 80 in the api container by editing docker-compose.yml. For example to support DNS rebinding on port 4000, the configuration would look like:

  api:
    image: node:9.11.1-alpine
    networks:
      - dref
    ports:
      - 0.0.0.0:4000:80
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.