DNS rebinding attacks explained: The lookup is coming from inside the house!

This report explains DNS rebinding attacks and how they can bypass the browser same-origin policy to access local-network or localhost services, then details a Deluge WebUI vulnerability (fixed in v2.2.0) where an unauthenticated path traversal in the /js endpoint allowed arbitrary file reads (exposing configuration including salted SHA1 passwords and sessions); the report shows how DNS rebinding can be used to reach such local services and chain to installing malicious plugins, and concludes with practical mitigations (use HTTPS, strong authentication, Host header validation).