The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Strict transport security not enforced -- misstatement of facts/lack of proof

Anders | Last updated: May 18, 2017 06:32AM UTC

I'm using Pro 1.7.22, and test a fairly normal web application I get an issue report 'Strict transport security not enforced', which from a general perspective is correct: the application does not provide a Strict-Transport-Security header. That far, I have no complaint. However, the issue text states: 'The application fails to prevent users from connecting to it over unencrypted connections.' This is not supported by any facts. (I expected to find a request/response pair to back the statement up, but I don't). Suggestion: Include the request/response in the issue descripion to allow the tester to evaluate the claim easier. What is true is that http://<path> returns a response, and perhaps this has been taken as an indication of a problem. However, the http://<path> only returns the default IIS page, and so does not provide access to the web application. thus, no vulnerability is actually demonstrated. Suggestion: Unless the responses to http://<path> and https://<path> are very similar, don't rate the issue as a certainty. (The certainty is that there is not Strict-Transport-Security header, but that absence is not on its own a vulnerability.) Suggestion: Include both responses (http and https) in the issue , so that the tester can send both identified responses to the comparer and evaluate/verify the claim.

PortSwigger Agent | Last updated: May 18, 2017 07:44AM UTC