HSTS Vulnerability -write up
ok 1 week ago, I got HSTS Vulnerability on cyberarmy. now i want to explain about HSTS Vulnerabilities.
What is HSTS?
HTTP Strict-Transport-Security. HSTS is A website security switch that supports web browsers to access websites only through HTTPS. Why should via HTTPS not via HTTP? Represents HTTPS Protocol Secure function of the HTTP protocol. HTTPS works on ports 443 and has an encrypted path. Permanent Want to minimize the attacks of third parties who want committing data theft.
What’s is the impact of HSTS vulnerabilities?
granted, it is kind of hard to exploit this vulnerability, because, first of all, it requires an attacker to be in a privileged network (he/she needs to be able to see what’s going over the wire). Then the attacker would need to trick the victim into opening https://tokopedia.com/login in a browser . HSTS preloaded and which doesn’t have any HSTS cookies for Tokopedia.com from a previous secure visit to hackerone.com. When all these conditions are met, an attacker could for example steal the victim’s Tokopedia credentials, or inject some malicious scripts into any page. This is possible because the connection is never upgraded, and the site allows forms such as the login form to be posted to a non-secure endpoint.
How to check HSTS Vulnerability?
first you must check on Terminal curl -s -D- https://www.websiteexample.com/login | grep -i strict
second you must go to ssllab and test for ssltest and check for hsts
the third if you don’t fine no hsts, its maybe vulnerable
How to fix this bug?
the application should instruct the web browser to only access the application using HTTPS. To do this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name ‘Strict-Transport-Security’ and the value ‘max-age = expireTime’, where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the ‘includeSubDomains’ flag if appropriate. Note that because HSTS is a “trust on first use” (TOFU) protocol, a user who has never accessed the application will never see the HSTS header, and will therefore still be vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the ‘preload’ flag to the HSTS header, and submit the domain for review by browser vendors
but some most programs accept this vulnerability with P5 status
