HTTP Public Key Pinning (HPKP) header cannot be recognised
OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 CWE-16 ISO27001-A.14.1.2 WASC-15 WSTG-CONF-07
There are web applications that cannot recognise HTTP Public Key Pinning header. This error is due to incorrect configuration of the HTTP Public Key Pinning header. The HTTP Public Key Pinning header is one of the Internet security mechanism that is used to allow the HTTPS websites to resist/protect impersonation by attackers. The attacker exploits this vulnerability by using misused or fraudulent certificates. If the HTTP Public Key Pinning header mechanism is not working correctly, the attacker might be able to inject and infiltrate web applications using fraudulent certificates in the server. This attack can have catastrophic effects on the server.
The HTTP Public Pinning header is a security feature that instructs a browser/web client to associate itself with a cryptographic public key. This key protects the web server from attacks like Man-In-The-Middle (MITM) attack. The HPKP uses a technique called Trust on First Use (TOFU). The HPKP works as follows:-
- The web server first sends the public keys via the HPKP header yo the client.
- The client stores the keys for a specific period of time.
- When the client visits the server again, the client will search for the known keys that it got via the HPKP header in the certificate chain.
If the client is presented with an unknown key from the server, the client must be notified about the issue.
This vulnerability will cause the following impacts:-
- Cross-site scripting - Cross-site Scripting (XSS) is a client-side code injection attack where an attacker can execute malicious scripts into a website or web application.
- clickjacking - Clickjacking is a malicious technique of tricking a user into clicking on a link, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
- code injection attacks - Code injection is the exploitation of a computer bug which includes processing invalid data.
- Man-In-The-Middle (MITM) attack - The attacker will use a MITM attack using forged certificates to overhear communication between the client and the server.
Mitigation / Precaution
Beagle recommends the following fixes:-
- Try to set the HTTP Public Key Pinning header properly.
- Try to pin to the end entity certificate.
- Audit the application’s configuration and detect unwanted pinning.