Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge...
Transcript of Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge...
![Page 1: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/1.jpg)
@unapibageek - @ssantosv
Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (Possibly) Chrome.
![Page 2: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/2.jpg)
@unapibageek - @ssantosv
Sheila Ayelen Berta Sergio De Los Santos
Security Researcher ElevenPaths
(Telefonica Digital cyber security unit)
Head of Innovation and Lab ElevenPaths
(Telefonica Digital cyber security unit)
22 years old - N/A :p -
![Page 3: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/3.jpg)
@unapibageek - @ssantosv
HTTP://www.example.com/login
Username: John / Password: 1234
C
![Page 4: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/4.jpg)
@unapibageek - @ssantosv
HTTPS://www.example.com/login
Username: John / Password: 1234
(
C
![Page 5: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/5.jpg)
@unapibageek - @ssantosv
![Page 6: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/6.jpg)
@unapibageek - @ssantosv
SSLSTRIP
COMMONATTACKS
ROGUE CERTIFICATES
SOLUTIONS?HTTP Strict Transport Security
HPKPHSTSHTTP Public Key Pinning
![Page 7: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/7.jpg)
@unapibageek - @ssantosv
HSTS – First time requests
![Page 8: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/8.jpg)
@unapibageek - @ssantosv
HSTS – HTTP requests after HSTS header is setted
THERE IS NOT A FIRST HTTP (UNSECURE) REQUEST.SSLSTRIP HAS NOTHING TO INTERCEPT, IT WON’T WORK.
![Page 9: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/9.jpg)
@unapibageek - @ssantosv
HPKP – Certificate Pinning
pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";pin-sha256="RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=";
![Page 10: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/10.jpg)
@unapibageek - @ssantosv
HPKP – Certificate Pinning
![Page 11: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/11.jpg)
@unapibageek - @ssantosv
Attacking HSTS (and HPKP) browsers implementation
![Page 12: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/12.jpg)
@unapibageek - @ssantosv
![Page 13: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/13.jpg)
@unapibageek - @ssantosv
The curious thing…
1024 ENTRIES
AS MAXIMUM
![Page 14: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/14.jpg)
@unapibageek - @ssantosv
![Page 15: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/15.jpg)
@unapibageek - @ssantosv
DEMO
![Page 16: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/16.jpg)
@unapibageek - @ssantosv
![Page 17: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/17.jpg)
@unapibageek - @ssantosv
![Page 18: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/18.jpg)
@unapibageek - @ssantosv
Attack improvement… defeating FF’s score system
CJUNK HSTS ENTRIES INJECTION
JUNK HSTS ENTRIES INJECTION
JUNK HSTS ENTRIES INJECTION
DELOREAN +1 DAY
DELOREAN +1 DAY
SCORE = 0
SCORE = 1
SCORE = 2
…
DEMO
![Page 19: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/19.jpg)
@unapibageek - @ssantosv
DEMO
FF’s highlights – Cons :
• Attack might be a little complex to achieve:MITM + DELOREAN + HSTS Injection.
• We need time enough inside the target’s network.(It may be some hours).
Internal Pentests, Hotels… are the best scenarios ;)
![Page 20: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/20.jpg)
@unapibageek - @ssantosv
DEMO
FF’s highlights - Pros:
• Attack effectiveness.
JUNK ENTRY – SCORE = 2
HS
TS
S
LO
TS
JUNK ENTRY – SCORE = 2
JUNK ENTRY – SCORE = 2
REAL ENTRY – SCORE = 0 NEW ENTRY – SCORE = 0
![Page 21: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/21.jpg)
@unapibageek - @ssantosv
![Page 22: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/22.jpg)
@unapibageek - @ssantosv
![Page 23: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/23.jpg)
@unapibageek - @ssantosv
![Page 24: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/24.jpg)
@unapibageek - @ssantosv
The curious thing…
NO STORAGE LIMITS
![Page 25: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/25.jpg)
@unapibageek - @ssantosv
![Page 26: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/26.jpg)
@unapibageek - @ssantosv
DEMO
![Page 27: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/27.jpg)
@unapibageek - @ssantosv
Chrome highlights:
• Attack is very easy to achieve and you can try it in different ways.(WiFi Portal / MITM attack / etc).
• Chrome stops working properly in a few minutes.
• User is forced to clear browsing data in Chrome and therefore the TransportSecurity file starts over again = HSTS/HPKP broken ;)
![Page 28: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/28.jpg)
@unapibageek - @ssantosv
![Page 29: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/29.jpg)
@unapibageek - @ssantosv
![Page 30: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/30.jpg)
@unapibageek - @ssantosv
The curious thing…
![Page 31: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/31.jpg)
@unapibageek - @ssantosv
WININET.DLL
HttpIsHostHstsEnabled
CheckHsts()
GetHstsEnabled()
IsHostHstsA()
GetHstsEntry()
SetHstsEntry()
UpdateHstsEntry()
AddHstsEntry()
CheckHstsInternal()
![Page 32: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/32.jpg)
@unapibageek - @ssantosv
CheckHsts()
GetHstsEnabled()
CheckHstsInternal()
IsHostHstsA()
IsHostHstsInternal()
ConvertURLtoHTTPS()
Landing issues…
AddHstsEntry()
SetHstsEntry()
SaveEntryToStore()
?
?
![Page 33: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/33.jpg)
@unapibageek - @ssantosv
CACHE
I remember if you visited the website over
https or http… but not because of HSTS itself...
DEMO
![Page 34: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/34.jpg)
@unapibageek - @ssantosv
IE/Edge highlights:
• Most of the websites will not be remembered as webs protected with HSTS, due to problems in the storage process.
• Browser cache is the one that remembers if you have entered the website over http or https… but not HSTS itself.
• Restarting the browser, the machine or (most effectively) clearingthe cache, leaves the user without a real HSTS protection.
![Page 35: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/35.jpg)
@unapibageek - @ssantosv
Conclusions…
We can tell there is not a strong bet yet forimproving this implementations in browsers so…
No one is safe….even with HSTS.
![Page 36: Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and ... · @unapibageek - @ssantosv IE/Edge highlights: • Most of the websites will not be remembered as webs protected with HSTS,](https://reader030.fdocuments.us/reader030/viewer/2022040615/5f0fed8e7e708231d4469572/html5/thumbnails/36.jpg)
@unapibageek - @ssantosv
THANK YOU!
Sheila Ayelen Berta Sergio De Los Santos
Security Researcher – ElevenPaths(Telefonica Digital cyber security unit)
Head of Research – ElevenPaths(Telefonica Digital cyber security unit)