HSTS Web Security Policy
- This application demonstrates the HTTP Strict Transport Security (HSTS)
web security policy that helps protect websites against attacks such as SSLStrip.
- We assume that you are already familiar with SSLStrip. If not please visit our SSLStrip demonstration page first
- In this demonstration, four containers will be created for you; one each for the victim and hacker and two server containers; one that enforces HSTS and one that doesn't.
- The hacker container comes preloaded with the necessary applications that you will need to perform a SSLStrip attack on the victim.
- As in the SSLStrip case, the victim container is a web emulation of a basic Ubuntu Linux machine with a terminal and Firefox browser.
- If you recall, a hacker performing an SSLStrip attack on the victim, replaces HTTPS links with HTTP, causing the victim to unknowingly communicate via cleartext
HTTP with the hacker.
- The HSTS policy is intended to protect against such protocol downgrade attacks, by having the server require web browsers to only interact
with it via HTTPS.
- Servers enforce this requirement by using a special HTTP response header field named "Strict-Transport-Security".
- In this demonstration, you will essentially repeat the steps for performing an SSLStrip attack and compare the results when using a server that does not enforce
HSTS versus a server that enforces HSTS.
- Ready to go? Try It !
- Note: You will have around 20 minutes to test this application.