Burp Suite User Forum

Create new post

Strict transport security not enforced -- misstatement of facts/lack of proof

Anders | Last updated: May 18, 2017 06:32AM UTC

I'm using Pro 1.7.22, and test a fairly normal web application I get an issue report 'Strict transport security not enforced', which from a general perspective is correct: the application does not provide a Strict-Transport-Security header. That far, I have no complaint. However, the issue text states: 'The application fails to prevent users from connecting to it over unencrypted connections.' This is not supported by any facts. (I expected to find a request/response pair to back the statement up, but I don't). Suggestion: Include the request/response in the issue descripion to allow the tester to evaluate the claim easier. What is true is that http://<path> returns a response, and perhaps this has been taken as an indication of a problem. However, the http://<path> only returns the default IIS page, and so does not provide access to the web application. thus, no vulnerability is actually demonstrated. Suggestion: Unless the responses to http://<path> and https://<path> are very similar, don't rate the issue as a certainty. (The certainty is that there is not Strict-Transport-Security header, but that absence is not on its own a vulnerability.) Suggestion: Include both responses (http and https) in the issue , so that the tester can send both identified responses to the comparer and evaluate/verify the claim.

PortSwigger Agent | Last updated: May 18, 2017 07:44AM UTC

Sorry, but you aren't correctly understanding the purpose of HSTS. The issue is not that a user might connect using HTTP and receive the actual application content (as opposed to a default page). The issue is that the user's browser will willingly make a request using plain HTTP at all. The purpose of HSTS is to tell the browser that it should never connect to this domain using plain HTTP. The browser remembers this instruction and applies it to future browsing. So if a third party site contains a link or a redirection to an HTTP URL on that domain, the browser will automatically convert it to HTTPS. This prevents various man-in-the-middle attacks that induce the browser to downgrade traffic to HTTP, allowing a suitably positioned attacker to view and modify it. If the site you are testing returns HTTPS responses without a suitable HSTS header, then the issue reported by Burp is perfectly valid.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.