0

I just started learning MITM attacks and I use MITMF to perfom these attacks. I have one question regarding to sslstrip. I notice that sslstrip only works when we first clear the cache and history in our victim's browser. Is this always the case? Or is there any workarounds for this?

I've been thinking of maybe doing a dns spoof and then running a script to clear all the cookies in the browser but I'm not sure if this will works.

edit : I do understand that sslstrip wont work on HSTS websites but will it work without having the victim to clear their cookies first?

Andi Perkaa
  • 1
  • 1
  • I think this is discussed in depth in [How does SSLstrip work?](https://security.stackexchange.com/questions/41988/how-does-sslstrip-work) and [SSL Strip Injection Point](https://security.stackexchange.com/questions/142901/ssl-strip-injection-point). In short: sslstrip needs a plain HTTP request to work. If the client already switched to HTTPS the attack will not work. Since the browser initially does plain HTTP unless it knows otherwise it will work when the browser knows nothing about the target yet. – Steffen Ullrich May 20 '19 at 14:26
  • @SteffenUllrich my question is simply asking if sslstrip works without the victim having to clear their cookies first. – Andi Perkaa May 20 '19 at 14:29
  • This is completely unrelated to cookies. Please read the information I've linked to. – Steffen Ullrich May 20 '19 at 14:30

1 Answers1

1

I do understand that sslstrip wont work on HSTS websites but will it work without having the victim to clear their cookies first?

This is completely unrelated to cookies.

SSLStrip works as long the browser thinks that the site can be accessed by plain HTTP. If the site response with HSTS or has pre-loaded HSTS the browser knows to access the site next time or even first time with HTTPS.

Similar if the site issues a 301 permanent redirect to HTTPS the browser will next time skip the plain HTTP request and access this new HTTPS-URL directly (affects only the specific URL and not the whole site). I think you are confusing this 301 with the cookies.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • so this is probably because a certain website cant be accessed through http, is there a way to check if a website supports both http and https? – Andi Perkaa May 20 '19 at 14:49
  • 1
    @AndiPerkaa It doesn't matter if the victim website responds only to HTTPS requests and ignores HTTP, if the client tries connecting to HTTP sslstrip is possible. – AndrolGenhald May 20 '19 at 14:58
  • @AndiPerkaa: please limit yourself to your original question and don't ask new questions (even if a follow-up) inside a comment. Apart from that see [Does sslstrip work only on websites which use both HTTP and HTTPS?](https://security.stackexchange.com/questions/183467/) and [Mitigating SSLStrip by only serving a site over HTTPS?](https://security.stackexchange.com/questions/64979). – Steffen Ullrich May 20 '19 at 15:02