Jump to content

discuss : about bypass HSTS !


Recommended Posts

good evning all ......

as we all know brwosers at thes days using HSTS security and MITM became less affctive

we can't use sslstrip to chapture passwords ( gmail and twitter ) .....

and i have to many ideas for sharing ....

there is a framework called Squid-Imposter https://github.com/koto/squid-imposter i download it and install it on my backtrack5R3 and i success with facebook.com and gmail.com this framework using html5 and force the browser to use http

but it didnt success with hotmail and yahoo .. etc so we need some one who is expert in programming to modify this framework or give us another idea to bypass the HSTS security

my second idea : i read to many posts about squid proxy server ( blocking https ) there are to many people try to block http://site.com and they successed but when they go to https://site.com it's work !!

the point is : if we block https from squid and using url_rewrite function to redirect https://site.com to http://site.com by :

PHP Redirect (Simple)
#!/usr/bin/php<?php$temp = array();// Extend stream timeout to 24 hoursstream_set_timeout(STDIN, 86400);while ( $input = fgets(STDIN) ) {  // Split the output (space delimited) from squid into an array.  $temp = split(' ', $input);  // Set the URL from squid to a temporary holder.  $output = $temp[0] . "\n";  // Check the URL and rewrite it if it matches foo.example.com  if ( strpos($temp[0], "foo.example.com") !== false ) {    $output = "302:http://www.example.com/\n";  }  echo $output;}

i dont now of u understand what i mean , and im sorry for my bad english

waiting experts suggestions

Link to comment
Share on other sites

First of all. Try using the correct URL's. Hotmail.com doesn't exist. Same for outlook.com. Those site both got rewrites towards https://login.live.com/login.srf%C2'> If you would use that url in squid-imposter it would work for hotmail/outlook/livemail whatever you want to call it.

Now for Yahoo. They dont got a http version only https. So i will not work on them. ( Actualy impressed :p , even gmail still got http )

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...