Infiltrating into internal networks by targeting people into visiting malicious websites is still being used by attackers. However, as the modern browsers are being automatically patched and endpoint protection improves, depending on either a browser 0day or the victim to click and deploy a malware on his machine narrows down attacker's opportunities. But did you ever wonder how could someone obtain access to internal network by only relying on the victim's browser as the main weapon?
In this talk, we will propose an attack concept that brings a whole new attack surface to infiltrate internal networks. The attack will work even on the latest patched browsers and without deploying any malware. By combining and advancing existing concepts of JavaScript reconnaissance techniques and DNS rebinding attacks, internal applications could be now exposed to the outside world while going unnoticed.
We will explain how going from theory to practice requires overcoming several limitations of the current DNS rebinding attack. We will go through the steps of evolving the current possibilities into establishing a full tunnel to internal network applications. We will tackle the challenges with handling all HTTP methods, proxying authentication and downloading binaries via the tunnel.