GitBook: [master] one page modified

pentesting-web/ssrf-server-side-request-forgery.md

@@ -203,6 +203,27 @@ If the web page is automatically creating a PDF with some information you have p
 
 Create several sessions and try to download heavy files exploiting the SSRF from the sessions.
 
+### Abusing DNS Rebidding + TLS Session ID/Session ticket
+
+Requirements:
+
+* **SSRF**
+* **Outbound TLS sessions**
+* **Stuff on local ports**
+
+Attack:
+
+1. Ask the user/bot **access** a **domain** controlled by the **attacker**
+2. The **TTL** of the **DNS** is **0** sec \(so the victim will check the IP of the domain again soon\)
+3. A **TLS connection** is created between the victim and the domain of the attacker. The attacker introduces the **payload inside** the **Session ID or Session Ticket**.
+4. The **domain** will start an **infinite loop** of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again** a **DNS request** of the domain.
+5. In the DNS request a **private IP** address is given **now** \(127.0.0.1 for example\)
+6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send** the **Session** ID/Ticket ID \(where the **payload** of the attacker was contained\). So congratulations you managed to ask the **user/bot attack himself**.
+
+Note that during this attack, if you want to attack localhost:11211 \(_memcache_\) you need to make the victim establish the initial connection with www.attacker.com:11211 \(the **port must always be the same**\).  
+To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)  
+For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo&ab\_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference)
+
 ## Exploitation in Cloud
 
 ### Abusing SSRF in AWS EC2 environment