I have been working as a security consultant for a few months now, and one finding that is on almost every webserver I come across, is the lack of an HSTS (HTTP Strict Transport Security) implementation. This is understandable, since HSTS is still fairly new. In fact, before starting at Accuvant, I had never heard of it either! However, since most browsers support it now, I wanted to be able to report on it. As of the time of this post, Nexpose does not have a finding for this item, but I believe Nessus does. To report on this finding, and provide a screenshot evidence to customers, we were often resorting to manually looking at the headers, or implementing home-made scripts to do it.
Wait, HSTS? What are you talking about?
When you visit a website over unsecured HTTP, it’s often considered a best practice to do a 302 redirect to the HTTPS site. That way, when browser users just type in the domain, it gets redirected to the secure site. When the “Strict-Transport-Security” header is added to the HTTPS response, the client then knows for a certain amount of time (based on the header’s value) to ONLY request the HTTPS version of the site. This can greatly reduce the chances of phishing.
One convenient thing that will occur with HSTS, is that even if you make requests to the HTTP version of the site, the browser will actually bypass that, and request straight from the HTTPS site. This prevents leaks that often occur with images, stylesheets, and scripts.
Get to the module already!
The crew over on the Metasploit team were really quick adding this module, which isn’t surprising since it was super easy to implement. I was honestly surprised that nobody had done it already. The code can be found here.
So how do I use this thing?
The usage is pretty simple. First, load up Metasploit and gaze at the ASCII-art:
Next, just load up the HSTS Scanner module and look at the options:
msf > use auxiliary/scanner/http/http_hsts
msf auxiliary(http_hsts) > show options
Module options (auxiliary/scanner/http/http_hsts):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 443 yes The target port
SSL true yes Negotiate SSL for outgoing connections
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
msf auxiliary(http_hsts) >
Add the hosts that you want to scan, by setting the “RHOSTS” variable: