0

i am aware of HSTS and their directives... If you had enabled HSTS on your site however, and this user has visited your site before, the browser will remember it should go back to https. As the fake site does not have an SSL certificate, the user can’t visit the site, and will be safe.

However i am unable to reproduce a mitm attack when i had visited the site before, only when deleting all cookies and trying again it works just fine. For some reason the website is acting like it had HSTS but it doesn't... so what is wrong here?? if the website doesn't have HSTS then the browser shouldn't remember to connect to HTTPS

What i am doing:

1- if i delete cookies and try to connect to example.com the mitm works just perfect.

2- if i visit the site and and close browser, and then try to reproduce the mitm attack it doesn't work. it connects to HTTPS directly. (it should work because the website doesn't have HSTS)

3- if i visit example.com and close the browser, and then try to reproduce the mitm attack typing example.com/about the mitm attack works perfectly.

4- if i visit example.com/about and close the browser, and then try yo reproduce the mitm attack typing example.com/about the mitm doesn't work.

For some reason the website doesn't have HSTS but looks and works like it's implemented

Tomi Begher
  • 113
  • 1
  • 9
  • Does it do a 301 redirect from HTTP -> HTTPS? 301 is permanent, so browsers can cache them however long they want. – AndrolGenhald May 21 '19 at 03:01
  • Did it *ever* have HSTS enabled? The browser will remember it for a long time, and deleting cookies doesn't affect this at all. – Esa Jokinen May 21 '19 at 03:10
  • 1-if i delete cookies and try to connect to example.com the mitm works just perfect. 2- if i visit the site and and close browser, and then try to reproduce the mitm attack it doesn't work. it connects to HTTPS directly – Tomi Begher May 21 '19 at 03:13
  • @AndrolGenhald i don't know if it does a 301 redirect, but i know it does a http to https because when typing example.com it goes to http by default – Tomi Begher May 21 '19 at 03:39
  • 1
    Very likely a permanent redirect (301) cached by the browser. See also the very similar question [Does SSLSTRIP in MITMF only works when the victim visits for the first time?](https://security.stackexchange.com/questions/210490/does-sslstrip-in-mitmf-only-works-when-the-victim-visits-for-the-first-time/210491#210491). – Steffen Ullrich May 21 '19 at 04:10
  • @SteffenUllrich yea i tought the same, but the browser cache won't last that long right? less than a day should last – Tomi Begher May 21 '19 at 10:58
  • 1
    @TomiBegher: 301 are kind of cached forever, i.e. they might be removed automatically only when the browser cache gets too big and old and long unused entries get deleted. – Steffen Ullrich May 21 '19 at 11:00
  • @SteffenUllrich but if that happens then why websites implement the basic HSTS?, if the website is cached in the browser for a long time then there is no need for basic HSTS (we know that the preload directive is really good and stops all kind of mitm attacks) – Tomi Begher May 21 '19 at 14:26
  • @TomiBegher: I recommend that you read the question I've linked to because it contains the answer. Hint: there is a difference between knowing that site is HTTPS (as done with HSTS) and a single URL (as done with 301). – Steffen Ullrich May 21 '19 at 19:09
  • @SteffenUllrich i read it all. i have tested this with websites with and without HSTS but i really can't note any difference. both work the same way and both are vulnerable in the same way. – Tomi Begher May 21 '19 at 19:23
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/93943/discussion-between-tomi-begher-and-steffen-ullrich). – Tomi Begher May 21 '19 at 19:32

0 Answers0