Results 1 to 5 of 5

Thread: HSTS and its effect on sslstrip

Hybrid View

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default HSTS and its effect on sslstrip

    Just been doing a little reading after running in to problems using sslstrip against gmail...

    https://www.owasp.org/index.php/HTTP...sport_Security

    It seems that the big boys are using a strict https policy supported by FF4 and Chrome (but not IE, obviously lol) which effectively renders sslstrip useless these days.

    Should it not be possible to create an ettercap filter to strip the header before the victim should receive it?

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    40

    Default Re: HSTS and its effect on sslstrip

    Thanks for the information.

    sslstrip can already change or remove headers. Look into the python code and you will see that you can strip the headers before they get to the victim.

    I could not find any examples of sites actually using this. I think that google and other famous sites are now hardwired to use https in the browser and don't need to use the Strict-Transport-Security

    However if you are pentesting for a client that is using Strict-Transport-Security in their headers, it would be a simple matter to remove it by modifying some python code. If you an find an example of such a site using it. Then I would be willing to try to modify sslstrip.


    Quote Originally Posted by SilvaRizla View Post
    Just been doing a little reading after running in to problems using sslstrip against gmail...

    https://www.owasp.org/index.php/HTTP...sport_Security

    It seems that the big boys are using a strict https policy supported by FF4 and Chrome (but not IE, obviously lol) which effectively renders sslstrip useless these days.

    Should it not be possible to create an ettercap filter to strip the header before the victim should receive it?

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    40

    Default Re: HSTS and its effect on sslstrip

    I did some further reading. The header can only be set in a secure connection, which means that you could not use sslstrip or ettercap to intercept and remove the headers. Which makes sense.

    Here is some quotes from the specification:


    If a UA receives more than one STS header field in a HTTP response
    message over secure transport, then the UA MUST process only the
    first such header field.

    Otherwise:

    o If an HTTP response is received over insecure transport, the UA
    MUST ignore any present STS header field(s).

    o The UA MUST ignore any STS header fields not conforming to the
    grammar specified in Section 6.1 "Strict-Transport-Security HTTP
    Response Header Field".


    This would mean that a victim would only be vulnerable the very first time that they logged into that site, if that site also had an http version.
    I would think that most secure sites nowdays only allow https and don't have an http version like they used to?

    Of course sslstrip still works very well on sites like facebook and mobile versions of many sites as they usually have less strict security on mobile apps.






    Quote Originally Posted by thaijames View Post
    Thanks for the information.

    sslstrip can already change or remove headers. Look into the python code and you will see that you can strip the headers before they get to the victim.

    I could not find any examples of sites actually using this. I think that google and other famous sites are now hardwired to use https in the browser and don't need to use the Strict-Transport-Security

    However if you are pentesting for a client that is using Strict-Transport-Security in their headers, it would be a simple matter to remove it by modifying some python code. If you an find an example of such a site using it. Then I would be willing to try to modify sslstrip.

  4. #4
    Member stepking2's Avatar
    Join Date
    May 2012
    Posts
    83

    Default Re: HSTS and its effect on sslstrip

    I've also read up a little bit on this protocoll.
    The first time the victim visits the website it can be vulnerable to SSLStrip, because the browser doesn't know if the website uses SSL.
    Also, HSTS is included in the "HTTPS Everywhere" extension for FireFox.

    But, what if th victim accepts a fake certificate, that would still work, right?

  5. #5
    Just burned their ISO
    Join Date
    Dec 2009
    Posts
    7

    Default Re: HSTS and its effect on sslstrip

    Could anybody please answer to that question?
    "what if th victim accepts a fake certificate, that would still work, right?"

Similar Threads

  1. changes to xorg.conf not taking effect upon reboot?
    By hubbard in forum BackTrack 5 Beginners Section
    Replies: 5
    Last Post: 05-01-2012, 01:53 PM
  2. Crash After Applying folder effect - startx fail now
    By croser in forum BackTrack 5 Bugs
    Replies: 0
    Last Post: 09-29-2011, 01:55 PM
  3. Parsing SSLStrip with definitions.sslstrip in easy-cred
    By ericmilam in forum BackTrack 5 Experts Section
    Replies: 3
    Last Post: 06-28-2011, 09:40 PM
  4. Parsing SSLStrip with definitions.sslstrip in easy-cred
    By ericmilam in forum BackTrack 5 Beginners Section
    Replies: 0
    Last Post: 05-31-2011, 08:39 PM
  5. Ettercap dns_spoof... strange no effect
    By aeronavi in forum Beginners Forum
    Replies: 0
    Last Post: 11-03-2010, 11:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •