0

Friends,

Is there any way to prevent HSTS bypass on Apache/RHEL environment. I have a webserver with valid SSL certificate for the domain. Non HTTPS requests are being redirected to HTTPS. Necessary headers including Content Security Policy, Strict Transport Security, X-Frame are applied already.

Any ideas?

Adding an example link shows how to achive HSTS Bypass

https://null-byte.wonderhowto.com/how-to/defeating-hsts-and-bypassing-https-with-dns-server-changes-and-mitmf-0162322/

Thanks in advance

Sam
  • 11
  • 1
  • 1
    What exactly do you mean by HSTS bypass? What's your threat model? – womble Jan 19 '18 at 08:39
  • Not all clients (especially bots) will obey that header. As @ezra-s mentioned, you should redirect all port 80 traffic if you can, at least for anything that could contain sensitive information. – Aaron Jan 19 '18 at 16:40
  • Thanks womble, ezra-s, Aaron for the reply and suggestions., @womble please refer the link https://null-byte.wonderhowto.com/how-to/defeating-hsts-and-bypassing-https-with-dns-server-changes-and-mitmf-0162322/ – Sam Jan 20 '18 at 03:24
  • 2
    You put your domain on the HSTS preload list. – Michael Hampton Jan 20 '18 at 18:16

2 Answers2

2

Submit your domain here https://hstspreload.org/

This stops most modern browsers even trying to connect via http.

use sslstrip to verify, its pretty easy to set up with firefox

sslstrip.py -l <listenPort>

then set up firefox to proxy everything to that port

You should see the attack in action then

exussum
  • 539
  • 3
  • 8
0

Yes, indeed.

Don't serve anything in http, but redirects to https.

Daniel Ferradal
  • 2,415
  • 1
  • 8
  • 13
  • 1
    Thank you, I'm already redirecting all the non-https requests to https. Still our pen-testers found that a MITM attack possible – Sam Jan 20 '18 at 03:30