Redirection from HTTP to HTTPS to a different host preventing HSTS

OWASP 2013-A5 OWASP 2017-A6 CWE-16 ISO27001-A.14.1.2 WASC-15 WSTG-CLNT-04

The most effective way to redirect network traffic is to use a permanent redirection. This way, search engines and users can easily redirect to the website under HTTPS from an HTTP request. In many cases, this technique cannot guarantee safe traffic for your users. Redirection from HTTP to HTTPS can be abused by attackers for phishing attacks and can be redirected to a different host without any proper validation of user parameter by preventing HTTP Strict Transport Security. HSTS is a web security that ensures a secure connection between a server and its client.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show the end users some false data which will, in turn, affect the credibility of the website.

Mitigation / Precautions

According to Beagle, a secure connection can be achieved by using a response header field named Strict-Transport-Security.

        Strict-Transport-Security: max-age=31539000

    

A universal and straightforward technique is to configure the server to redirect to HTTPS. By this technique, when the server sends HTTPS to the client. The client sends HSTS and other attributes to the server. The initial response is always unsure/unsafe.

        Strict-Transport-Security: max-age=31536000; includeSubDomains

    

The above code sets all the subdomain connections as secure.

Related Articles