HackerSecret.com - The Most Authoritative Site in the World on the Hacking Tools and Techniques, Penetration Testing and CyberSecurity

  • Home
  • Visit Our Shop
  • Download the free App
  • Contact us for Info
VISIT OUR SHOP! CLICK HERE !

HSTS From Top to Bottom or GTFO

by / Saturday, 09 November 2019 / Published in Hacking
Share
Tweet
Pin
0 Shares

Presently sponsored by: Varonis. Free Video Course: 7 Hidden Office 365 Security Settings You Can Only Unlock with PowerShell

HSTS From Top to Bottom or GTFO

We’re pretty much at a “secure by default” internet these days, at least that’s the assumption with most websites, particularly so in the financial sector. About 80% of all web pages are loaded over an HTTPS connection, browsers are increasingly naggy when anything isn’t HTTPS and it’s never been cheaper nor easier to HTTPS all your things. Which meant that this rather surprised me:

HSTS From Top to Bottom or GTFO

Let me break down what’s happening here: I’m in (yet another) hotel and on complete autopilot, I start typing “xer” into the address bar which Chrome then dutifully auto-completes for me:

card kg-image-card“>HSTS From Top to Bottom or GTFO

Because it’s hotel wifi I expect it to be slow, so I flick over to another tab to do other useful things before switching back to the Xero tab ready to log myself in. Now, imagine for a moment that I’d been confronted with this page:

card kg-image-card“>HSTS From Top to Bottom or GTFO

I’ve doctored this image to represent what could easily have been a rogue Xero homepage, but would I have hit the login button if I’d seen it? Would I then have entered my credentials on the resulting page, even if still served insecurely? Possibly, although a saving grace would have been Chrome’s red indicator once I started typing the password (although in my case, I would have tried to autofill from 1Password and I’d have 2FA to protect me if someone else grabbed it, but you get the point). No really, I pay a lot of attention to this stuff and I’ll admit that I could easily have missed the absent padlock. And why is there no HSTS which would have avoided this situation altogether? So I decide to check out the response headers on the login page and behold, there’s HSTS:

card kg-image-card“>HSTS From Top to Bottom or GTFO

That’s one year’s worth of seconds and I visit the site regularly, so what’s the problem? Well the obvious one is a combination of the domain being different to the one I originally went to and the HSTS setting not specifying that it should include subdomains. With no such header being returned on the apex domain coupled with my mental autopilot then Chrome autocompleting to xero.com and defaulting to the insecure scheme (as all browsers presently do), meant no HTTPS and the local network effectively MitM’ing the request.

The irony with all this is that Xero obviously recognises the value of HSTS or they wouldn’t have used it anywhere, yet by failing to use it on the landing page they leave customers vulnerable to precisely the sort of risk they added HSTS on the login page to prevent. So the moral of the blog post is that HSTS must exist across the entire route of navigation and ideally, also include subdomains and be preloaded. And hey, it’s free, easy and one of the best defences going for precisely this threat.


Troy Hunt’s Blog

Share
Tweet
Pin
0 Shares
Tagged under: Bottom, From, GTFO, HSTS

Search on the site

Our customers say

Annabel M. – Systems Engineer

 
Samuel D. – Ethical Hacker

 
Karola M. – Influencer

 
Marcus P. – Private Investigator

 
Rosemary S. – Housewife

 
Amit V. – IT Consultant

 
Matthew C. – Entrepreneur

 
Aisha B. – Computer Science student

 
Li W. – IT Analyst

 
Robert C. – Programmer

 

Click here now to visit our Shop!

Click here now to visit our Shop!

Other 2300 users like you have already done it this year!

DOWNLOADED 1316 TIMES!

DOWNLOADED 1316 TIMES!

Download now Hacker Secret our free Android app.

CONTACT US NOW FOR IMMEDIATE SUPPORT!

Contact Us
Write your email address here
Write here how we can help you - we support you immediately for all your needs!

Latest posts

  • How to tell if someone is stealing your wifi

  • How to check saved passwords on Chrome

  • The Computer Security Day

  • What is digital forensics

  • How to install Metasploit in Termux?

## Are you looking for products for hacking, computer security and penetration testing? Do you need to clean up your smartphone, your PC or your site from viruses and malware? Do you need to track down someone or retrieve urgent information? Do you want to buy devices already configured to experiment all the hacking techniques quickly and easily? Do you have special needs in software or hardware? ##

Contact us now … another 2300 users like you have already done it this year!

Click here now!

 

All the techniques, products and services described or contained on this site are intendend for exclusive use of study and professional training and to test the security of own's computer network in accordance with the national legislations on access to computer and online systems. All the services provided on this site (penetration testing, social accounts hardening, Incident Response & CSIRT, MSSP, Cybersecurity Consultancy, etc.) can be provided only with prior written and documented authorization from the owners or their legitimate representatives in accordance with current national regulations .

TOP
New Order