HSTS and its effect on sslstrip

[SilvaRizla]

Just been doing a little reading after running in to problems using sslstrip against gmail...

https://www.owasp.org/index.php/HTTP...sport_Security

It seems that the big boys are using a strict https policy supported by FF4 and Chrome (but not IE, obviously lol) which effectively renders sslstrip useless these days.

Should it not be possible to create an ettercap filter to strip the header before the victim should receive it?

[thaijames]

Thanks for the information.

sslstrip can already change or remove headers. Look into the python code and you will see that you can strip the headers before they get to the victim.

I could not find any examples of sites actually using this. I think that google and other famous sites are now hardwired to use https in the browser and don't need to use the Strict-Transport-Security

However if you are pentesting for a client that is using Strict-Transport-Security in their headers, it would be a simple matter to remove it by modifying some python code. If you an find an example of such a site using it. Then I would be willing to try to modify sslstrip.

Just been doing a little reading after running in to problems using sslstrip against gmail...

https://www.owasp.org/index.php/HTTP...sport_Security

It seems that the big boys are using a strict https policy supported by FF4 and Chrome (but not IE, obviously lol) which effectively renders sslstrip useless these days.

Should it not be possible to create an ettercap filter to strip the header before the victim should receive it?

[thaijames]

I did some further reading. The header can only be set in a secure connection, which means that you could not use sslstrip or ettercap to intercept and remove the headers. Which makes sense.

Here is some quotes from the specification:


If a UA receives more than one STS header field in a HTTP response
message over secure transport, then the UA MUST process only the
first such header field.

Otherwise:

o If an HTTP response is received over insecure transport, the UA
MUST ignore any present STS header field(s).

o The UA MUST ignore any STS header fields not conforming to the
grammar specified in Section 6.1 "Strict-Transport-Security HTTP
Response Header Field".


This would mean that a victim would only be vulnerable the very first time that they logged into that site, if that site also had an http version.
I would think that most secure sites nowdays only allow https and don't have an http version like they used to?

Of course sslstrip still works very well on sites like facebook and mobile versions of many sites as they usually have less strict security on mobile apps.

Thanks for the information.

sslstrip can already change or remove headers. Look into the python code and you will see that you can strip the headers before they get to the victim.

I could not find any examples of sites actually using this. I think that google and other famous sites are now hardwired to use https in the browser and don't need to use the Strict-Transport-Security

However if you are pentesting for a client that is using Strict-Transport-Security in their headers, it would be a simple matter to remove it by modifying some python code. If you an find an example of such a site using it. Then I would be willing to try to modify sslstrip.

[stepking2]

I've also read up a little bit on this protocoll.
The first time the victim visits the website it can be vulnerable to SSLStrip, because the browser doesn't know if the website uses SSL.
Also, HSTS is included in the "HTTPS Everywhere" extension for FireFox.

But, what if th victim accepts a fake certificate, that would still work, right?

[skvitkromkalka]

Could anybody please answer to that question?
"what if th victim accepts a fake certificate, that would still work, right?"