Skip to main content

ForceHTTPS:Strict-Transport-Security

Use of HTTPS for securing the data in transmission from eavesdropping is well known.
The user can be sure that the data he is submitting is going over encrypted channel and is secure from sniffing.
Although it's secure but few factors can still be considered as major lapse in implementing HTTPS securely.All modern web browsers are willing to compromise the security of sites that use HTTPS in order to be compatible with sites that deploy HTTPS incorrectly.For example, if an active attacker presents a self-signed certificate, web browsers permit the user to click through a warning message and access the site despite the error.Certificate Errors happen due to Common-Name mismatch between the certificate name and hosting server;Self-signed certificates or expired certificates.This behavior compromises the confidentiality of the site's Secure cookies, which often store a second factor of authentication, and allows the attacker to hijack a legitimate user's session.
End-user being a novice in security knowledge will happily choose to accept the warning message and tend to perform his action.

A new technique for thwarting this kind of flaws has been proposed by Adam Barth and Collin Jackson as 'ForceHTTPS'.By setting a ForceHTTPS cookie, a site owner asks the browser to treat HTTPS errors as attacks, not as simple configuration mistake.
ForceHTTPS causes a browser to do the following:

1.All errors like self-signed certificate warning or common-name mismatch will terminate the SSL Session.

2.Non-HTTPS connections are redirected to HTTPS.

3.Attempts to embed insecure (non-HTTPS) content into
the site fail with network errors.

But the ForceHTTPS protects you against the active/passive sniffing and improper configured web certificates.
It does not address threats like Phishing and Malware/Browser Vulnerabilities.

Paypal has alreday implemented it and currently Firefox,Goolge Chrome and Noscript is implementing it.
ForceHTTPS uses 'Strict-Transport-Policy'(STS) header to implement the security.

STS server returns the following response header:

"Strict-Transport-Security" ":" "max-age" "=" delta-seconds [ ";" "includeSubDomains" ]

For more info visit:https://crypto.stanford.edu/forcehttps/


Comments

Popular posts from this blog

File Upload through Null Byte Injection

Sometimes, during file upload we come across situation wherein there would be check on the file extension at the client side as well as server side too. If the application does allow only .jpeg extension to be uploaded, the client side java script checks for the extension of the file before passing the request. We all know that how easily this can be defeated.
Some applications, checks for the extension at the server side also. That's not easy to bypass. However there are some ways with which it still can be bypassed. Most of server side scripts are written in high level languages such as Php, Java etc who still use some C/C++ libraries to read the file name and contents. That leads to the problem. In C/C++ a line ends with /00 or which is called Null Byte. So whenever the interpreter sees a null byte at the end of the a string, it stops reading thinking it has reached at the end of the string.
This can be used for the bypass. It works for many servers, specially php servers. Th…

SQL Injection in search field

Earlier I had written about performing SQL injection in search field and how to do a DoS attack and privilege escalation using 'Like' operators. Now another SQLi exploitation I came across recently. That too in the search field. This becomes important as lots of people don't pay much attention on the search forms/ fields in the application. My aim is to show that a search form can also be exploited with SQL Injection. The following queries are based on a real world exploitation. The steps and data are for just illustration purpose only. Suppose, the search form provides the details of users who have accessed the application some time and their login time details etc, we just need to provide their name in the search box provided. All the data were being going as Post request. So, to just fingerprint the database, I provide, 'nil'+'esh' in the search field and it successfully gives me the results. That means the database behind the application is concatenat…

Insecure protocols

Some basic insecure protocols and risk associated with them: