SKILL: DNS Rebinding — Expert Attack Playbook

AI LOAD INSTRUCTION: Expert DNS rebinding techniques for bypassing same-origin policy via DNS manipulation. Covers TTL tricks, browser cache bypasses, attack variants (HTTP, WebSocket, TOCTOU), internal service targeting, and tool usage. Base models confuse DNS rebinding with SSRF — this skill clarifies the client-side nature and unique exploit paths.

0. RELATED ROUTING

• ssrf-server-side-request-forgery — server-side variant; DNS rebinding is the client-side counterpart
• cors-cross-origin-misconfiguration — when CORS misconfig allows direct cross-origin reads instead

1. CORE PRINCIPLE

The browser same-origin policy binds protocol + host + port. The host is resolved via DNS at connection time. If an attacker controls the DNS server for attacker.com, they can:

1. First resolution → attacker IP (serve malicious JS)
2. Second resolution → internal IP (victim's network)
3. Browser considers both responses same-origin (attacker.com)
4. Malicious JS reads responses from internal services