akde/infosec

Information security is ultimately about managing risk

HSTS HTTP Strict Transport Security

, , ,

Bypass

HSTS is based on host­names. If a tar­get already vis­it­ed www.supersite.example, you can try to redi­rect the tar­get to a sim­i­lar domain which the brows­er nev­er vis­it­ed before and thus does­n’t has HSTS activated.

  1. Rewrite the Host HTTP head­er for your serv­er you want to imper­son­ate and add anoth­er char­ac­ter, e.g. wwww.supersite.example.
  2. You pre­pared DNS pos­en­ing which will resolv www.supersite.example to your system.
  3. Deliv­er the orig­i­nal site via a SSLstrip proxy.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';