Presented at
Black Hat Europe 2017,
Dec. 7, 2017, 11:30 a.m.
(60 minutes)
Observing Microsoft's reports, the Edge browser - and its previous version, Internet Explorer - supports HSTS (HTTP Strict Transport Security) beginning with IE 11 over Windows 7, 8.1 and 10. However, official technical documentation does not exist about how this system works in the browser, how the data is saved nor any other information. Likewise, there is no official documentation about how Firefox and Chrome implement it.<br> <br> Despite this, the truth is that for an attacker, techniques like SSLStrip stopped being fully effective after HSTS and HPKP implementation. A remote attack against <span>HSTS named Delorean was presented some time ago,</span> but it has some limitations. Throughout our research, we have discovered new attacks and new inconsistencies in the web browsers when solving issues related to HSTS and HPKP.<br> <br> Firefox browser has an implementation issue, for which we developed an attack that allows remotely overwriting the storage of the websites with HSTS/HPKP directives. In this way, an attacker can easily take advantage of it during a Sniffing/MITM over the LAN Network and obtain plain text credentials from sites that had set up their communication strictly over HTTPS. Chrome in the same way suffers implementation issues that can hinder notably the use of HSTS/HPKP in the browser.<br> <br> We looked into IE/Edge, the runtime implementation of the API HttpIsHostHstsEnabled from WININET.DLL, gaining the knowledge to know how the invoked methods that resolve domains with HSTS works. Additionally, we found interesting considerations into the storage system (ESE Database) and several implementation issues.
Presenters:
-
Sheila A. Berta
- Security Researcher, Eleven Paths
as Sheila Berta
Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in different countries. Over the years, Sheila has discovered several vulnerabilities in popular web applications such as Facebook, LinkedIN, Hotmail, ImageShack and others. Currently, Sheila works at Eleven Paths as Security Researcher who specializes in web application security, malware analysis and exploit writing. She is also a developer in ASM x86, AutoIT, C/C++, Python and the most popular web application technologies. Sheila is an International Speaker, who has spoken about different research at important security conferences such as Black Hat USA and EU Arsenal, DefCon 25 CHV, Ekoparty Security Conference, OWASP Latam Tour, APPSEC Latam, DragonJARCon and others.
-
Sergio De Los Santos
- Head of innovation and labs, Eleven Paths
Sergio De Los Santos is currently head of innovation and labs in Eleven Paths, responsible for researching, creating new projects, tools and prototypes. In the past (2005-2013), he was a Technical consultant in Hispasec (where VirusTotal was developed for 10 years), responsible for antifraud, vulnerabilities alert and other services mostly bank industry oriented. Sergio is responsible for the most veteran security newsletter in spanish. Since 2000 he has worked as an auditor and technical coordinator, written three technical security books and one about the history of security. He has an informatics degree, a master in software engineering and artificial intelligence and has been awarded with Microsoft MVP Consumer Security title in 2013-2017. He is a teacher and director of different courses, masters and lectures in universities and private companies.
Links:
Similar Presentations: