GitBook: [#3153] No subject

pentesting-web/cors-bypass.md

@@ -331,12 +331,19 @@ Check out also the **publicly running server in** [**http://rebind.it/singularit
 
 As it was explained in the previous section, **browsers** have the IPs of domains **cached more time** than the one specified in the TTL. However, there is a way to bypass this defence.
 
-You can **create 2 A records** for the **same subdomain** in the **DNS provider** and when a browser checks for them he will get both.
+You can **create 2 A records** (or **1 with 2 IPs**, depending on the provider) for the **same subdomain** in the **DNS provider** and when a browser checks for them he will get both.
 
 Now, if the **browser** decides to **use** the **attacker IP address first**, the **attacker** will be able to **serve** the **payload** that will **perform HTTP requests** to the same **domain**. However, now that the attacker knows the IP of the victim, **he will stop answering the victim browser**.
 
 When the browser finds that the **domain isn't responding** to him, it will **use the second given IP**, so he will **access a different place bypassing SOP**. The attacker can abuse that to **get the information and exfiltrate it**.
 
+{% hint style="warning" %}
+Note that in order to access localhost you should try to rebind 127.0.0.1 in Windows and 0.0.0.0 in linux.\
+Providers such as godaddy or cloudflare didn't allow me to use the ip 0.0.0.0, but AWS route53 allowed me to create one A record with 2 IPs being one of them "0.0.0.0"
+
+![](<../.gitbook/assets/image (638).png>)
+{% endhint %}
+
 ![](<../.gitbook/assets/image (620).png>)
 
 For more info you can check [https://unit42.paloaltonetworks.com/dns-rebinding/](https://unit42.paloaltonetworks.com/dns-rebinding/)