Lack of HTTP Strict Transport Security(HSTS)

The HTTP Strict Transport Security (HSTS) header is a security enhancement for the HTTP communication. When a supported browser receives this header, the browser will terminate and prevent any communications sent over HTTP to the application’s domain. The header initiates communication between the server and the client via HTTPS communication. Another advantage of the HSTS header is that it prevents HTTPS click through prompts on the browsers. There are many web applications that haven’t used HTTP Strict Transport Security to secure the communication. Without HSTS, there is a chance for the application to be a target to downgrade attacks, SSL-stripping, man-in-the-middle attacks and cookie-hijacking attacks. The HTTP Strict Transport Security (HSTS) allows a web server to declare stating; the web browsers should interact with the server using a secure HTTPS connection only. The HSTS is an IETF standards track protocol that is specified under RFC 6797. An HSTS Policy communicates with the server to the user agent through an HTTPS response header field named “Strict-Transport-Security”. The HSTS Policy specifies a period during which the user agent must use only secure access to the server. As the HSTS HTTP Header can only be recognised through an HTTPS connection, there are web applications that still allows HTTP users to interact with the application for fixing compatibility issues. Implementing compatibility fix is really a bad idea because the attacker can use different attacks to extract user data to compromise both server and user’s privacy.

Impact

The attacks include:-

  • Protocol Downgrade attacks: The Protocol downgrade attack is an attack through which, an attacker can downgrade the used protocol in the web application to communicate using any vulnerable protocol. Using the vulnerable protocol, the attacker can steal data sent between the server and the client.

  • SSL-stripping: The SSL stripping attack is a type of man-in-the-middle (MITM) attack that is used to downgrade HTTPS to HTTP communication. Under this attack, the attacker can redirect the traffic from the end user to his proxy.

  • Man-In-The-Middle attacks: The man-in-the-middle (MITM) attack is an attack through which an attacker can sniff data passed via the communication channel. The attacker can access sensitive information from login credentials to application’s cookies.

  • cookie-hijacking: The cookie hijacking attack is an attack through which, an attacker can hijack information present in the user’s cookie from the communication channel. The cookie details include information about the user’s session. The attacker can use this info to steal user’s sessions.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Configure the remote web server to communicate using HSTS.

  • If there is any preload directive in the application, it is recommended to switch back to HTTP. An attacker can send a preload directive from the application. These preload directives might have serious issues on the server. The preload directive can be used to prevent the users from accessing the web application along with any of its subdomains.

  • The web application must instruct the user’s web browser to only access the application using HTTPS. To do this, the application must enable HTTP Strict Transport Security (HSTS). The HSTS can be enabled by adding the response header ‘Strict-Transport-Security’. Set the value ‘max-age=expireTime’. We also recommend adding the ‘includeSubDomains’ flag.

        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

    

Related Articles