No HTTP Strict Transport Security (HSTS) Proof of Concept
People often overlook HSTS as a noteworthy vulnerability, even though it can be easily exploited to steal credentials. While this vulnerability requires a man-in-the-middle (mitm) position, sometimes it really isn’t that hard to become the mitm.
For example, if no ARP spoofing countermeasures are in place an attacker can easily become a mitm via ARP cache poisoning using many freely available programs. One such program is Man-in-the-Middle Framework (MITMF), which can be downloaded from https://github.com/byt3bl33d3r/MITMf.
The following command will conduct an ARP cache poisoning attack against the gateway and the target host (all on one line):
./mitmf.py -i eth0 --spoof --arp --gateway 192.168.0.1 --target 192.168.0.6
MITMF enables SSLstrip by default, which will rewrite HTTPS links to HTTP, allowing me to see all the traffic between the target and gateway. This is only possible if: 1) The site isn’t enforcing HSTS; 2) the end user browses to a site via HTTP, which is common if they commonly visit websites by typing bankofamerica.com instead of first prepending https://www.
For example’s sake, a user browses to packpub.com (which, by the way gives away a free technology book daily: https://www.packtpub.com/packt/offers/free-learning)
Notice that no secure green lock appears in the URL bar.
The user then logs in…
…and MITMF captures the credentials.
2016-09-19 14:22:25 192.168.0.6 [type:Firefox-48 os:Windows 7] POST Data (www.packtpub.com): email=jake%40example.com&password=not_my_real_password&op=Login&form_build_id=form-3967f2cd997f70eee50424d758a385de&form_id=packt_user_login_form