2

If I had a website http://site.com redirecting to https://site.com via javascript (with a HTTP/1.1 403 Forbidden), what are the attack vectors I could be vulnerable too?

Why is this not a good practise? (and the preferred way is to do a 301 from the server side)

  1. ok SEO while a 301 is preferred for the search bots.
  2. disable the script in the browser, you are stuck

anything else?

For onething, according to me, a session fixation through MITM is not possible at least because all the raw response gives me is as below. There is no cookie, whatsoever. 

<html>
<head><title>hussh...</title></head>
<script language="JavaScript">
function redrToHttps()
{
 var httpURL= window.location.hostname + window.location.pathname + window.location.search;
 var httpsURL= "https://" + httpURL;
 window.location = httpsURL;
}
 redrToHttps();
</script>
<body>

I do not know why a lot of tutorials on the internet advise you to do it via javascript, while a 301 permanent is a perfect choice. AFAIK, I could not find an attack vector in this form of redirect via javascript with 403 header.

Am I missing something? Are there any attack vectors that I could be up against in the future? Why is this not the recommended way?

Edit:

May be I forgot to mention why I posted this question. I have already raised a flag to use HSTS, it was missing in the website in question. My concern is, the people that developed this application followed the first link in google (back then, when they developed) to make this http to https redirection via javascript. Honestly, this is the first time I saw a http to https redirect for all pages of the application via javascript. I don't have to tell you how bad, and stupid the javascript https redirect sounds even at the outset. But I looked at raw response, there was a 403 which is fine (hey, you are forbidden), although not the best way of doing it.

The site never serves any information over http. It always uses the javascript to do the redirection make a new request. Too bad. I get it. May be your answers/thoughts about how susceptible this could be, would me help sell why this is such a bad idea in terms of security.

I am afraid that this is not a possible duplicate as no question in the stackexchange network discusses the security implication of a http to https redirect via javascript in specific. Keeping the best practices apart, I would appreciate your ideas on how insecure (and why so) this approach is.

Custom client side script instructing the browser to navigate to a different page, and the browser responding to a 301 as in http://paypal.com has fundamental differences I believe. Are they any knows exploits demonstrated in this case?

Thank you.

Edit 2: Did someone notice a 403? In IIS 6 if you had enabled require HTTPS and if you tried to access the site via HTTP and if you hadn't configured SSL properly, then that's what you would get a 403 dull error page. Old time quick fix solution is to trap a 403 in the server and return a custom error page that would contain a javascript code like i mentioned in the question. That javascript would then request the HTTPS version of the page, which is a new browser request, and not a redirect of any sort. Which is actually equivalent to a new https request. This is bad, very bad, poor implementation. But the question now is, you request a resource on http, that returns you a 403 with some java script that helps put https in the url for you and hence issuing a new https request. Not a 301/301 induced HTTPS. May be the question title says the word redirect, but now I have second thoughts about the misnomer now. To put things in perspective here is a post - http://raoulpop.com/2007/08/07/automatic-redirect-from-http-to-https/ that describes what I am saying. Very old post indeed. How is this a duplicate question?

gmaran23
  • 143
  • 1
  • 7

1 Answers1

1

Doing this in the browser with JavaScript is insecure and inefficient.

As you have already mentioned, if the User Agent doesn't execute JavaScript then the user is just going to be sat on your 403 Forbidden page. If you're going to return a 403 response to a user, why not just return a 301 and make some use of the response? This is a bad user experience at best and will result in people continually hitting your http URL to be redirected instead of the https one.

From a security standpoint you're opening the user up to attacks from a MiTM. If the user types in site.com without specifying a protocol, the browser will default to HTTP and make a request to http://site.com for them. If the redirect is done in JavaScript the browser will not remember. If the server responds with a 301 permanent redirect to https://site.com then the browser will cache this response. The next time the user types in site.com the browser will visit https://site.com instead of http://site.com as before. This helps mitigate various forms of SSL stripping attacks but isn't a perfect solution. Still though, it is slightly more secure.

What you could also do is issue a HSTS policy for your domain. I've gone in to some detail on what HSTS is on my blog titled "HSTS - The Missing Link In Transport Layer Security". Simply put, HSTS allows you to tell a browser to always use https with no requirement for a redirect. You still need to keep the redirects for non-compliant user agents but it's another step in the right direction.

Scott Helme
  • 3,178
  • 3
  • 21
  • 32
  • nice post on the links. While I had Moxie's SSLStrip in mind while analysing the application initially, it didn't strike when I typed this question because I was obsessed with session hijacking for the past couple of hours, and it seemed ok to me to have used a 403 header. You must be spot on. I will have a few things to confirm though. Do you think SSLstrip would work with a 403 as well? _Since this is not a redirect, but a 403, and the browser is instructed by the client side script to make a request to https, I am not certain about SSLstripping here_. I will have to try. \m/ – gmaran23 Jan 08 '14 at 20:03
  • No it wouldn't protect your from SSLstrip attacks. SSLstrip actively monitors traffic going to do the device, including the contents of HTML and JS. When it sees the https:// URL in the JS, it will be re-written to HTTP. I cover that feature in the blog I linked about SSLstrip. This would actually result in your users becoming stuck in a permanent redirect loop to the http:// URL. Not so good... – Scott Helme Jan 09 '14 at 10:35
  • spot on! verified that as well. in my case due to the javascript, the website loops indefinitely trying to get a https .. but SslStrip replaces it with http.. goes on and on. Very funny but, this anomaly of redirect loop during SslStrip attacks, would at least save someone from not visiting the website during SslStrip attacks by looping itself. If my users are predominantly IE, then they can't benefit from HSTS(not even in IE 11). If I did a 301/302 redirect, then SslStrip is possible. But, this tiny javascript gets stuck in a redirect loop, suffering itself, from SslStrip attacks ;-) ha ha! – gmaran23 Jan 09 '14 at 19:57
  • I see your point about the end user not getting to the site but I can't help but feel uneasy about the prospect of a 'redirect loop'... Even with that aside, an attacker has other options once they have control of the transport layer. What's stopping the attacker serving your website, or any content for that matter, in place of the JS? Remember, what you're seeing is 'out of the box' functionality of SSLstrip but an awful lot more is possible. If I'm being entirely honest, it offers no protection whatsoever. – Scott Helme Jan 10 '14 at 07:00
  • _What's stopping the attacker serving your website, or any content for that matter, in place of the JS?_ Exactly! Despite being marked a duplicate question at the discretion of some rigorous mods, you have served the purpose of my question here. Thanks, it's been a good offline chat! :-) – gmaran23 Jan 11 '14 at 12:30
  • Yeah they get a bit like that sometimes... Glad I could help :-) – Scott Helme Jan 12 '14 at 19:29