comatose603 Posted February 9, 2013 Share Posted February 9, 2013 Anything out there to deal with HSTS traffic? E.g., some sort of way to force clients to opt-out of it? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted February 9, 2013 Share Posted February 9, 2013 http://tools.ietf.org/html/rfc6797#section-2.3 Not sure if a tool exists to just run and pwn, yet. Quote Link to comment Share on other sites More sharing options...
comatose603 Posted February 9, 2013 Author Share Posted February 9, 2013 (edited) I suppose a workaround is to just DNS spoof and phish HSTS domains...no? Would be nice if there was a modue to 1) detect HSTS, 2) auto DNS spoof it, 3) and on the fly mirror the portal html locally for phishing. Or, do site such as Gmail have non-HSTS versions of the portals traffic could be redirected to with DNS spoof? Edited February 9, 2013 by comatose603 Quote Link to comment Share on other sites More sharing options...
PineDominator Posted February 9, 2013 Share Posted February 9, 2013 I had an idea a while ago to maybe inject the code that tells a browser that the site there at is HSTS. Basically screwing there browser. The next time they visit that site not on the pineapple they cant;-) could make it worse by speeding up the process by loading many domains/sites within a series of Iframes. Would this be possible? Quote Link to comment Share on other sites More sharing options...
comatose603 Posted February 9, 2013 Author Share Posted February 9, 2013 Is the Facebook iphone app using HSTS? I never see any data from it in SSLstrip. Quote Link to comment Share on other sites More sharing options...
digininja Posted February 10, 2013 Share Posted February 10, 2013 I don't know if sslstrip removes the HSTS flag when it is running, if you've not seen any data in it then maybe not yet. Don't forget you would have to hit the page through HTTP first so that it can act as a local proxy for the HTTPS traffic. Failing that I'm planning an extension to the proxy I wrote for the keylogger so that it will take an upstream proxy which could be sslstrip. My proxy would then strip the HSTS header so the browser never sees it. Might be worth doing some research on how long the browser remembers the setting for, whether it is only when it sees it in the headers or if once it has seen it then it sticks for that session. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.