[OrangeTux]

Very interesting write up! But how likely is it to have control over the DNS-server someone uses? You either need to setup a malicious one and let the victim use your server. Or you've to hack the DNS-server the victim already is using.

[matharmin]

This attack doesn't need control over the victim's DNS server. It uses attacker-controlled domain names to access private IPs via XHR. The DNS rebinding bypasses the standard CORS protection (without this protection the attacker could've used the IP directly). This attack is very easy to protect against (validate the Host header), but lots of IOT devices don't do this.