Home >> Audit Pentest >> How to pentest site enabled hsts – bypass hsts

1.    Introduce about problem when pentest with site enabled HSTS.

  • As you know HTTP Strict Transport Security (HSTS), simply ensures that a browser does not use HTTP for communicating with website set this header. So if you are running a site and you include this header, and your clients use a browser which respects the “Strict-Transport-Security” header, the browser will not open HTTP links on said site.
  • Furthermore, if the site uses a self-signed cert (this is where Burpsuite comes in, what happens if you a proxying through Burpsuite to a HSTS site?) the browser will not let you navigate the site.

Here is example Chrome’s error, this is caused by Burpsuite self-signed and untrusted CA being used:

bypass hsts1

2.    How to pentest a website was enables HSTS?

In order bypass HSTS, I usually use two method.

Method 1: Use a browser unaware of this Header. For example Firefox 3.6.25

Method 2: Install the certificate as a trusted root CA, in this case Burpsuite generated Cert.

To install Burp’ root CA, so that we can continue to use any browser for example Chrome to pen test of a Google server. To do that you just follow my example below:

Step 1: Export Burp’s root CA from burpsuite:

Two export root CA from Burpsuite we have two method:

–        Using a Browser

Open up your browser and navigate to the following URL http://burp/ or (default settings for Burp’s proxy listener), If you have set-up Burp’s proxy listener on a different port, use that instead of 8080. Please not that if you have disabled the Burp’s web interface in Proxy > Options > Miscellaneous > Disable web interface at http://burp, this method will not work. You either have to enable the web interface or use the other method.

bypass hsts2

Burp’s web interface

Click on CA Certificate to begin downloading the certificate.

bypass hsts3

Downloading Burp’s CA

–        Using Burp’s Certificate Export Functionality

If you have disabled Burp’s web interface, you can use Burp to export the certificate directly. This functionality also allows you to export the certificate along with its private key to use in other applications. This is useful if you want to sign your own custom certificates but do not want to generate a new root CA like I did for Hipchat.

Open Burp and navigate to Proxy > Options. Look under Proxy Listeners at the top of the page for a button named Import / export CA certificate. Notice that you can also re-generate the certificate.

bypass hsts4

Burp’s import/export funcationality

Click the button and you can use the wizard to export Burp’s root CA. At this stage we only need the certificate (and not the private key). Select the top option under Export which is Certificate in DER format.

bypass hsts5

Exporting the certificate in Burp

Click next and then click on Select file.

bypass hsts 6

Select file

Now select a filename and path for the certificate.

bypass hsts 7

Select path and filename

Click Next and then finally Close.

Step 2: Installing Burp’s Root CA in Windows Certificate Store

Double click the certificate and then c lick Install Certificate.

bypass hsts 8

Install certificate button

Click Next only once until you reach the following screen where you can choose the certificate store to save the certificate. Select Place all certificates in the following store and then select Browse.

bypass hsts 9

Selecting the certificate store

Select Trusted Root Certification Authorities. And press Ok and then Next.

bypass hsts 10

Selecting the root CA certificate store

If you did not have Burp’s CA installed, you will get a security warning screen after clicking Finish.

bypass hsts 11

Security warning when installing a root CA

Press Yes and you should get a Import was successful message.

Now any certificate signed by Burp will be valid in most thick client applications, Internet Explorer and Chrome. Note that Firefox has its own certificate store and proxy settings.

bypass hsts 12

Restart Chrome, and notice how we can now proxy Gmail using Burp…

3.    So how can we know if a site uses header HSTS?

Well, Chrome does come with a built-in list of sites; You can see this list here: https://www.chromium.org/hsts

You can also simply search for the string “strict-transport-security” in the HTTP responses.
Here we use Burp to show the Gmail response which includes this header:

Finally, what if you don’t have a proxy, and you wanted to verify if indeed a site uses this new HSTS policy?

Chrome has a great built-in network capture feature! Simply point it to:

and hit the Dump to file button after navigating to said Web site.
It will generate a “net-internals-log.json” file where you can see the traffic.


the author

Leave a Reply

Your email address will not be published. Required fields are marked *