DNS Rebinding

DNS Rebinding

The local-only admin server gates by `Host: localhost`, but a short-TTL DNS record that flips between attacker IP and 127.0.0.1 lets a victim's browser bypass it.

CWE-350
Back to hub Reload scenario
Rebinding posture 

  


      

    


    

      

        
Expected Findings

        
    
          
  • Admin endpoint trusts `Host: localhost` without checking the actual socket.
  • DNS record TTL is 5 seconds.
  • No `X-Frame-Options` or PNA header on local endpoint.
    • 
        

      


      

      

        
Signals

        
        

          
Check

          
if r.Host == "localhost:9000" { allowAdmin() }  // forgeable via rebinding

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.