Web developers are sometimes surprised to learn that it is NOT the default behavior of the browser to ensure that a site serving HTTP content over TLS/SSL (i.e. HTTPS) be required to use HTTPS for all content.
“HTTP Strict Transport Security” (a.k.a. HSTS) is a web security policy designed to ensure that communications with a site take place using HTTPS (i.e. secure HTTP). It is activated using a special directive that a web-application can send to a browser instructing it to limit its interaction with that website to HTTPS .
Defined in IETF RFC 6797, HSTS is designed to prevent sensitive information, including session tokens, from being communicated in clear text by downgrading the security of the site from HTTPS to HTTP. Specifically, the specification defines a mechanism enabling web sites to declare
themselves accessible only via secure connections.
Depending on the sensitivity of the information being served, such downgrading can represent a security vulnerability, and can occur on sites that support both protocols and/or through Man-in-the-Middle attacks in which an attacker presents a proxy HTTP site while communicating with the real HTTPS site.
The exposure of information via HTTP can result in the unauthorized access to sensitive information, as well as Session Hijacking.
Websites can become vulnerable in a number of ways, including a the result of maintenance activities:
- A site may have previously supported HTTP before migrating to HTTPS, and may need to continue to support both for portions of the site.
- A site intended to be purely HTTPS may inadvertently contains HTTP links
- An attacker may attempt to intercept traffic using an invalid certificate in hopes the user will accept the bad certificate, allowing them to proxy all traffic to the legitimate site.
It is not uncommon for web-application vulnerability scanners to detect and report the “Failure to Use HSTS” as a vulnerability of HTTPS sites.
For additional insight into how to discover HSTS vulnerabilities in your web-applications, please see the article entitled: “How to Test For Failure to Use HTTP Strict Transport Security (HSTS)“.
For additional insight into how to prevent or fix HSTS vulnerabilities, please see the article entitled: “How To Prevent Failure to Use HTTP Strict Transport Security (HSTS)“.
Some additional information on HSTS can be found here.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.