HTTP Strict Transport Security header not available over HTTPS

OWASP 2013-A5 OWASP 2017-A6 CWE-16 ISO27001-A.14.1.2 WASC-15 WSTG-CONF-07 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

HSTS (HTTP Strict Transport Security) is one of the critical web security policy mechanism. This vulnerability allows any web server to declare interactions using only secure HTTPS connections, and never via the insecure HTTP protocol. This mechanism protects websites against protocol downgrade attacks and cookie hijacking. When a browser reads this header, it will stop all the HTTP communications with the domain and will start an HTTPS communication with the domain.

There are many servers that parse data via an HTTP response rather than HTTPS responses. Due to this vulnerability, the browser will ignore the HSTS implementation and the users will not be able to take advantage of HSTS. Not having HSTS will make Man In The Middle (MITM) attacks easier for attackers.

Example

        Strict-Transport-Security: max-age=31536000

    

Impact

This vulnerability has the following impacts:-

  • Man in the middle attack There are a few ways where an end user will be prone to Man In The Middle (MITM) attack:-

  • If a user bookmarks a webpage as http://www.example.beaglesecurity.com rather than https://www.example.beaglesecurity.com.
  • If an HTTPS website has HTTP links.
  • If a server serves the data over HTTP.
  • The attacker will intercept using invalid certificates.

Mitigation / Precaution

Beagle recommends setting proper HTTP Strict Transport Security

        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    

Related Articles