Insufficient Transport Layer Protection |
Overview Without a properly configured HTTPS connection from the web server to the client, traffic traveling over the HTTP protocol can be interecepted with packet sniffers. Video Tutorials Discovery Methodology Use the application noting if pages are available over HTTP. Also, check if the application issues HTTP Strict Transport Security (HSTS) headers in the HTTP responses. Exploitation While on the same subnet as either the client or the server, use a packet sniffer to capture the HTTP packets while a user authenticates or performs other sensitive transactions. Example Proceed to the login page in Mutillidae (Login). Start a packet sniffer to capture packets. Be careful to start the sniffer on a network inteface that is listening to the same subnet as Mutillidae. Ping or other programs can be used to confirm connectivity with the web server and confirm the subnet being used to connect.
root@ubuntu:~# ping mutillidae.localhost
PING mutillidae.localhost (127.0.0.1) 56(84) bytes of data
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.017 ms
The ifconfig program shows the names of the network interfaces. Notice the interface that provides the route to mutillidae.localhost (127.0.0.1) is the "lo" interface.
root@ubuntu:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:f0:34:2a
inet addr:10.0.0.133 Bcast:10.0.0.255 Mask:255.255.255.0
...SNIP...
eth1 Link encap:Ethernet HWaddr 00:0c:29:f0:34:34
inet addr:172.16.0.248 Bcast:172.16.0.255 Mask:255.255.255.0
...SNIP...
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
...SNIP...
Wireshark can capture packets, but using a dedicated packet capture tool like tcpdump or tshark can give the advanage of low overhead.
root@ubuntu:~# tcpdump -i lo -nn -v -w /tmp/login-packets.pcap
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
Later the packet capture can be opened in Wireshark to take advantage of the graphical view and advanced filtering capabilities.
root@ubuntu:~# wireshark /tmp/login-packets.pcap &
Videos How to check HTTPS certificate from command line How to check HTTPS Certificates for common issues cURL Error: SSL Certificate Problem How to Set HTTP Headers Using Apache Server Check HTTP Headers with cURL How to Check HTTP Headers (Command Line) How to Check HTTP Headers from Browser What is HTTP Strict Transport Security (HSTS)? What is the HSTS Preload list? Cookies: Part 2 - How Secure Cookies Work SSLScan: Part 1 - How to test HTTPS, TLS, & SSL ciphers SSLScan: Part 2 - How to Interpret the Results How to Install SSLScan on Windows What is Certificate Transparency - Part 1 What is Certificate Transparency? - Part 2 - Expect-CT Header |