webPromedium
Lab 89 — PingRadar — SSRF via DNS Rebinding (TOCTOU)
hackadvisor
Task: PingRadar monitoring platform validates monitor URLs by resolving hostnames and checking against IP blocklist at creation time, but re-resolves DNS at check time (TOCTOU). Built-in DNS server supports round-robin A records with TTL=0. Solution: create a DNS zone with round-robin A record alternating between public IP (8.8.8.8) and 127.0.0.1, create monitor targeting http://ssrf.rebind.zone:3001/internal/flag — validation passes when DNS returns public IP, check execution hits localhost when DNS returns 127.0.0.1.
$ ls tags/ techniques/
ssrftoctounodejsdns_rebindingexpressinternal_serviceurl_validationblocklist_bypassaxiosdns_round_robindns2
url_validation_bypassinternal_service_enumerationdns_rebinding_toctouround_robin_dns_ssrftime_of_check_time_of_use
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 47 — PingRadar — Blind SSRF via Webhook Test Delivery— hackadvisor
- [web][Pro]Lab 91 — PingRadar — SSRF Filter Bypass via Open Redirect Chain— hackadvisor
- [web][Pro]Lab 256 — UptimeRadar — SSRF via URL Health Check— hackadvisor
- [web][Pro]PingForge— hackadvisor
- [web][Pro]Lab 196 — ZoneDesk — SSRF via Health Monitor URL Check— hackadvisor