{"id":3126,"date":"2021-05-03T13:17:28","date_gmt":"2021-05-03T11:17:28","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3126"},"modified":"2023-12-24T12:45:51","modified_gmt":"2023-12-24T11:45:51","slug":"hsts-http-strict-transport-security","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3126","title":{"rendered":"<span class=\"caps\">HSTS<\/span> <span class=\"caps\">HTTP<\/span> Strict Transport Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Bypass<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">HSTS<\/span> is based on host\u00adnames. If a tar\u00adget already vis\u00adit\u00aded www.supersite.example, you can try to redi\u00adrect the tar\u00adget to a sim\u00adi\u00adlar domain which the brows\u00ader nev\u00ader vis\u00adit\u00aded before and thus does\u00adn\u2019t has <span class=\"caps\">HSTS<\/span> activated.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Rewrite the Host <span class=\"caps\">HTTP<\/span> head\u00ader for your serv\u00ader you want to imper\u00adson\u00adate and add anoth\u00ader char\u00adac\u00adter, e.g. wwww.supersite.example.<\/li><li>You pre\u00adpared <span class=\"caps\">DNS<\/span> pos\u00aden\u00ading which will resolv www.supersite.example to your system.<\/li><li>Deliv\u00ader the orig\u00adi\u00adnal site via a SSLstrip proxy.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Bypass <span class=\"caps\">HSTS<\/span> is based on host\u00adnames. If a tar\u00adget already vis\u00adit\u00aded www.supersite.example, you can try to redi\u00adrect the tar\u00adget to a sim\u00adi\u00adlar domain which the brows\u00ader nev\u00ader vis\u00adit\u00aded before and thus does\u00adn\u2019t has <span class=\"caps\">HSTS<\/span> acti\u00advat\u00aded. Rewrite the Host <span class=\"caps\">HTTP<\/span> head\u00ader for your serv\u00ader you want to imper\u00adson\u00adate and add anoth\u00ader char\u00adac\u00adter, e.g. wwww.supersite.example. You prepared&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[396,389,8,394],"class_list":["post-3126","post","type-post","status-publish","format-standard","hentry","category-general","tag-hsts","tag-mitm","tag-ssl","tag-sslstrip"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3126"}],"version-history":[{"count":1,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3126\/revisions"}],"predecessor-version":[{"id":3127,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3126\/revisions\/3127"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}