http - HSTS bypass with sslstrip+ & dns2proxy -

-

i trying understand how bypass hsts protection. i've read tools leonardonve ( https://github.com/leonardonve/sslstrip2 , https://github.com/leonardonve/dns2proxy ). quite don't it.

  • if client requesting first time server, work anytime, because sslstrip strip strict-transport-security: header field. we're in old case original sslstrip.

  • if not ... ? happens ? client know should interact server using https, automatically try connect server https, no ? in case, mitm useless ... ><

looking @ code, kinda sslstrip2 change domain name of ressources needed client, client not have use hsts since these ressources not on same domain (is true?). client send dns request dns2proxy tool intercept , sends ip address real domain name.at end, client http ressources should have done in https manner.

example : server response, client have download mail.google.com. attacker change gmail.google.com, it's not same (sub) domain. client dns request domain, dns2proxy answer real ip of mail.google.com. client ask ressource on http.

what don't before that... how attacker can html-strip while connection should https client server ... ?

a piece missing ... :s

thank you

ok after watching video, better understanding of scope of action possible dns2proxy tool. understood :

  • most of users on https page either clicking link, or redirection. if user directly fetch https version, attack fails because unable decrypt traffic without server certificate.
  • in case of redirection or link sslstrip+ + dns2proxy enabled being in middle of connection .. mitm ! ==>
    • the user goes on google.com
    • the attacker intercept traffic server client , change link sign in "https://account.google.com" "http://compte.google.com".
    • the user browser make dns request "compte.google.com".
    • the attacker intercept request, make real dns request real name "account.google.com" , sends response "fake domain name + real ip" user.
    • when browser receives dns answer, search if domain should accessed https. checking preloaded hsts list of domains, or seeing domain visited in cache or session, dunno. since domain not real, browser make http connection real address ip. ==> http traffic @ end ;)

so real limitations still need indirect https links work. sometime browser directly "re-type" url entered https link.

cheers !


Comments

Post a Comment

Popular posts from this blog

google chrome - Developer tools - How to inspect the elements which are added momentarily (by JQuery)? -

-
i looking @ how website designed using inspector in chrome. can use firefox developer tools or firefox web developer add-on or chrome web developer extension. so website has slide-show , using jquery it. looking @ markup , css in inspector, i see 2 things constantly changing slides change: one opacity css property understandable, i'd see changing values, changes fast see read anything. second- a div added in div slides change momentarily , moment when appears short notice except div . so question is there way stop slideshow can temporarily rid of blinking sort of effect (by speedy adding , removal , changing of elements , values)? where can inspect div element gets added such short moment , , gets removed? , can see changes in value of opacity takes place? is there way stop slideshow can temporarily rid of blinking sort of effect (by speedy adding , removal , changing of elements , values)? if opacity animated css transition or animation,
Read more

angularjs - Showing an empty as first option in select tag -

-
my app showing empty select field first entry. have read other solution given , tried still not working. my controller code is: .controller('usercreatecontroller', function(user,profile,auth) { alert("hello"); var vm = this; vm.type = 'create'; profile.all() //this service fetch profiles shown in select field .success(function(data){ vm.profile = data; }); vm.userdata.profile = vm.profile[0]; //here have set default value select field and html page is: <label class="col-sm-2 control-label">profile</label> <div class="col-sm-8"> <select ng-model="user.userdata.profile" ng-options="person._id person.profilename person in user.profile"> </select> </div> hierarchy of vm.profile { "_id": 46, "profile": objectid("5516498e95b84548156db754"), "isactive": true, "password": "$2
Read more

php - Cloud9 cloud IDE and CakePHP -

-
i attempting cakephp running on cloud9, cloud based ide. unaware, cloud collaboration ide intermixes services such bitbucket. site gives sudo rights, , installed cakephp using these instructions: https://www.digitalocean.com/community/tutorials/how-to-install-cakephp-on-an-ubuntu-12-04-vps when attempt run database exported machine cakephp installed, error message "url rewriting not configured on server." attempted solve issue using official guide cakephp: http://book.cakephp.org/2.0/en/installation/url-rewriting.html but no cigar, same error message. has gotten cakephp working, or aware of cloud ide free/low cost cloud9 support cakephp? here's how got working now: sudo apt-get update sudo apt-get install php5-intl curl -ss https://getcomposer.org/installer | php -- --filename=composer ./composer create-project --prefer-dist cakephp/app this creates project in /app default. move workspace docroot: mv app/* ./ mv app/.* ./ rm -rf app then de
Read more