Following article describes how to abuse browser implementations of HSTS and HPKP storage to disable HSTS and HPKP checking. Due to these attacks, Trust On First Use (TOFU) security model of HSTS and HPKP cannot be properly enforced by the browser.
http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html
Quote from above article about Firefox implementation.
http://blog.en.elevenpaths.com/2017/12/breaking-out-hsts-and-hpkp-on-firefox.html
Quote from above article about Firefox implementation.
Firefox uses a TXT file with a limit of 1024 entries to remember HSTS and HPKP domains. It seems that they though it was unlikely that an user would store more than that but, anyhow, they implemented a concept of "score" for each domain too.
The score indicates how often the user visits that domain on different days. Score 0 means that the header is expired or it is the first day he has visited the site. Score goes to 1 next day if he visits it again. It would go to 2 next different day (not necessarily to be the day after) he visits that site. In a nutshell, the more often (in different days) the user visit the site the higher the score. In case of having to remove one of this 1024 entries to make space (free up a slot), the one with the lower score is removed.
What we did is a Bettercap JavaScript to inject and a special website. Both send a lot of HSTS headers (what we call "junk entries") with different subdomains. Firefox, in less 2 minutes, fills up this 1024 table and starts removing legitimate domains with score 0.
What happens if a legitimate domain has a higher score and is less likely to be removed? To get that, we need to make this attack again in a different day, so our junk entries get a score of 1, and the legitimate ones with 0 score or 1 score, will probably go away. And so on.
No comments:
Post a Comment