0

If a site is enforcing HSTS, does that prevent packet capturing of a GET requests in Wireshark?

If it prevents it, is it possible to achieve the same using Bettercap or any other alternatives?

Scenario:

The response to the GET request is a token value, which is sensitive and can be used for other functionalities on the website.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Joel Deleep
  • 189
  • 9

2 Answers2

5

Let's back up a bit because you are asking about details on the extreme ends of a technology stack and your question misses the mark and doesn't make sense.

  • Wireshark just captures packets, so you could replace "Wireshark" in your question with "packet captures"
  • TLS encrypts the HTTP payloads, so GET requests would be encrypted
  • packet captures could still happen, but they would be encrypted

So, would TLS prevent the contents of a GET request from being exposed? Yes.

What about Bettercap?

  • HSTS helps to ensure one cannot downgrade HTTPS to HTTP
  • One attack in Bettercap (or any other Man-in-the-Middle tool) is to try to downgrade HTTPS
  • HSTS would prevent this type of attack

But that's just one attack. Another, better, use of Bettercap is to replace the certificate of the server with its own and decrypt the client communication. HSTS will not be so useful against that.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • the token is in json response to the request , if i am right there is no other option than http downgrade to fetch the token value. Correct me if im wrong – Joel Deleep Jul 08 '20 at 10:27
  • 1
    I just mentioned one: replace the certificate... – schroeder Jul 08 '20 at 10:27
  • 1
    To downgrade, you need to be in the middle. Once you are there, you can do quite a lot besides downgrade attacks. – schroeder Jul 08 '20 at 10:29
  • But let the site I am targeting is google for an example. Is the same approach possible to fetch the token ? – Joel Deleep Jul 08 '20 at 10:31
  • No, because they use protections against replacing the certificate. Otherwise, yes, Once you are a man-in-the-middle, you see ***everything***. – schroeder Jul 08 '20 at 10:32
  • I think what you want to know is the risks of man-in-the-middle attacks and how to protect against them. There is quite a lot written about this and a ton of pre-made tools you can use. HSTS is just one of them. – schroeder Jul 08 '20 at 10:34
  • If you are not in the middle, then you can't do anything. You can't even downgrade. Since you mentioned Bettercap, we assume that you are in the middle and you know the power you have. – schroeder Jul 08 '20 at 10:37
  • Basically I am facing a situation where the token is leaking in response to a get request . If I am right its having HSTS implemented , if I am able to fetch that token , I can proceed with my pentesting report escalating to other functionalities even if the attack complexity is high – Joel Deleep Jul 08 '20 at 10:38
  • How do you know it is leaking? It sounds like you are making a ton of assumptions and guesses, and you are in an X/Y problem scenario (assuming a problem is caused by one particular factor and you are focusing on the factor and not the problem) – schroeder Jul 08 '20 at 10:40
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/110346/discussion-between-joel-deleep-and-schroeder). – Joel Deleep Jul 08 '20 at 10:41
3

Packet capturing happens at the network level. Since the browser has to send out network packets to fetch a site for you, you can always capture the network packets. HSTS has no impact on this process at all.

What HSTS does is help the browser decide whether or not it MUST use HTTPS instead of HTTP. If the browser decides to use HTTPS then of course the data in the packets will be encrypted, so while you can still capture the packets, you won't be able to read their contents.

Of course you could get around that locally by using a proxy to intercept all your network traffic, and add its root certificate to your certificate store. As long as the application/website isn't using public key pinning you will be able to intercept and decrypt the traffic so you can read it. Of course we're talking about your own browser here so you could have done this just as easily in your browser's network tab.

Remember though that all of the above is difficult or impossible to do on someone else's machine, so none of this will help you to extract a token in a GET request from someone else.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • thanks for the answer , the token is in json response not in the request , for me I was not able to capture the request. So I was doubtful whether packets capturing is prevented . – Joel Deleep Jul 08 '20 at 10:25