Exploiting Missing HSTS
Hypertext Transfer Protocol (HTTP) is an application-layer protocol for transmitting hypermedia documents, such as HTML. It was designed for communication between web browsers and web servers.
HTTP headers let the client and the server pass additional information with an HTTP request or response
HSTS is a response header set by the web server. It is a policy mechanism which allows the web servers to declare that the web browser can only interact with it using HTTPS connections to enhance the protection of Transport Layer. The HSTS Policy is communicated by the server to the user agent via an HTTP response header field named “Strict-Transport-Security”.
HSTS has been designed to protect against HTTP downgrade attacks. one such attack can be performed via sslstrip tool which downgrades HTTPS to HTTP.
HSTS Syntax:
Strict-Transport-Security: max-age=<expire-time>Strict-Transport-Security: max-age=<expire-time>; includeSubDomainsStrict-Transport-Security: max-age=<expire-time>; preload
A valid HSTS found in HTTP response headers:
Strict-Transport-Security: max-age=31536000; include Subdomains; preload
HSTS Directives
max-age=<expire-time>The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomainsIf this optional parameter is specified, this rule applies to all of the site’s subdomains as well.
Requirement for HSTS
- Have a valid certificate verifiable by a Root CA
- Redirect HTTP to HTTPS through all subdomains using a 301/302 redirect, including the root www subdomain
- Serve a valid HSTS header in the HTTPS request which also specifies how long the HSTS entry will be cached.
- Specify all header directives: max-age should not be poorly configured. It must be at least 31536000 seconds (1 year), and include subdomains and preload must be present.
SSLSTRIP Attack on a website with Missing HSTS
The SSL (and TLS) stripping attack works by transparently converting a secure HTTPS connection into a plain HTTP connection
How the SSLSTRIP attack works
- A user sending HTTPS traffic to a web server can be manipulated via a MitM attack to redirect to an HTTP equivalent.
- The extent of the threat landscape doesn’t stop at just domains, sslstrip can also strip secure cookies which hold session keys, unique identifiers, and any other information developers decide to put in.
Attack Scenario
It’s a quite common setting in coffee shops, airports, or anywhere you decide to access the wireless “FREE-WIFI” network.
- Step 1: Attacker sets up the ARP Poisoning attack to justify the victim that attacker is the gateway (router) and specify to the gateway that the attacker is the victim as in image below.
- Step 2: Execute the below command
echo "1" > /proc/sys/net/ipv4/ip_forward.This implies that, a Linux box (kali) is routing packets through itself.
Note: The successful ARP poisoning can be easily verified by executing arp -a on the Windows victim host, in which you can tell that both IPs, .10 (hacker) and .138 (gateway) have the same MAC address.
3. Step 3: Perform packet manipulation that will allow us to strip away the HTTPS and deliver simply HTTP to the victim, and to intercept the HTTP request, create a new HTTPS request to the original server, strip the content from it, and deliver it back to the victim, over HTTP, we’ll use sslstrip. Redirect all HTTP (tcp/80) traffic to sslstrip. This is done by executing
iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 8080 and having sslstrip running while listening to that port.
Once the above mentioned setup is done, all the data victim is accessing with respect to a website with missing HSTS could be intercepted, viewed and exploited.
Note: This is where the HSTS HTTP Header comes in. It protects the victim by letting the browser know that the page should not be requested in HTTP, but always on HTTPS, so the first request to an HTTP port will never be sent by the browser.
Below is another screenshot showing how an attacker was able to view victims credentials dumped in sslstrip log file.
HSTS addresses this problem by informing the browser that connections to the site should always use TLS/SSL.
Configuring HSTS
HSTS Installation for Apache Web Server
Add below command to .htaccess file
Use HTTP Strict Transport Security to force client to use secure connections only Header always set Strict-Transport-Security “max-age=300; includeSubDomains; preload”HSTS Installation for lighttpd
Add below code to Lighttpd configuration file /etc/lighttpd/lighttpd.conf:
server.modules += ( “mod_setenv” ) $HTTP[“scheme”] == “https” { setenv.add-response-header = (“Strict-Transport-Security” => “max-age=300; includeSubDomains; preload”) }HSTS Installation for NGINX
This goes in site.conf file:
add_header Strict-Transport-Security ‘max-age=300; includeSubDomains; preload; always;’HSTS Installation for IIS Servers
protected void Application_BeginRequest(Object sender, EventArgs e) {
switch (Request.Url.Scheme)
{
case “https”: Response.AddHeader(“Strict-Transport-Security”, “max-age=31536000; includeSubDomains; preload”);
break;
case “http”: var path = “https://” + Request.Url.Host + Request.Url.PathAndQuery; Response.Status = “301 Moved Permanently”; Response.AddHeader(“Location”, path);
break;
}
}Conclusion
Web Applications, given their statelessness and their communication design, it is often difficult to acquire trust and legitimacy. By configuring strict HSTS and TLS certificates, it is possible to keep your applications and its users away from a potential threat therefore, protecting their personal and sensitive data from getting into wrong hands.
Article By:
Ramandeep Kaur
https://www.linkedin.com/in/ramandeep-kaur-944844aa/
Penetration Tester
IBM PTC Penetration Testing and Security Services
