Payloads
The web-discover payload will fetch the browser's local IP address using WebRTC, and from there derive a /24 subnet.
It will proceed to use netmap.js to scan the subnet for live web services on ports 80 and 8080.
When the scan is complete, it will open "rebind iFrames", set the DNS records to point to the local services, and fetch the services' index pages.
It will POST the HTML responses back to dref, effectively exfiltrating data across origins.
The payload will take several minutes to run to completion.
dref/scripts/src/payloads/web-discover.js
To configure the payload, edit dref-config.yml:
general:
domain: attack.com
address: 1.2.3.4
targets:
- target: "subdomain"
script: "web-discover"
The payload can be triggered by visiting http://subdomain.attacker.com/.
This payload does not use DNS rebinding. It simply exfiltrates information about the browser that may be of use to an attacker, such as version information, configuration etc.
dref/scripts/src/payloads/sysinfo.js
To configure the payload, edit dref-config.yml:
general:
domain: attack.com
address: 1.2.3.4
targets:
- target: "subdomain"
script: "sysinfo"
The payload can be triggered by visiting http://subdomain.attacker.com/.
If you encounter any issues with the payloads, come
