No HTTP Strict Transport Security (HSTS) Proof of Concept with Man-in-the-Middle-Framework (MITMF)

No HTTP Strict Transport Security (HSTS) Proof of Concept

People often overlook HSTS as a noteworthy vulnerability, even though it can be easily exploited to steal credentials. While this vulnerability requires a man-in-the-middle (mitm) position, sometimes it really isn’t that hard to become the mitm.

For example, if no ARP spoofing countermeasures are in place an attacker can easily become a mitm via ARP cache poisoning using many freely available programs. One such program is Man-in-the-Middle Framework (MITMF), which can be downloaded from

The following command will conduct an ARP cache poisoning attack against the gateway and the target host (all on one line):

./ -i eth0 --spoof --arp --gateway --target

MITMF enables SSLstrip by default, which will rewrite HTTPS links to HTTP, allowing me to see all the traffic between the target and gateway. This is only possible if: 1) The site isn’t enforcing HSTS; 2) the end user browses to a site via HTTP, which is common if they commonly visit websites by typing instead of first prepending https://www.


For example’s sake, a user browses to (which, by the way gives away a free technology book daily:


Notice that no secure green lock appears in the URL bar.

The user then logs in…


…and MITMF captures the credentials.

2016-09-19 14:22:25 [type:Firefox-48 os:Windows 7] POST Data (

Leave a Reply

Your email address will not be published. Required fields are marked *