Showing posts from November, 2018

SSLSTRIP attacks with Bettercap and MITMF - more info about HSTS and Web browsers

I've decided to make a follow-up video on SSLSTRIP and man-in-the-middle attacks, in order to clarify and emphasize a few things around HSTS and Web browsers. The client Web browser version seems to be sometimes overlooked when it comes to the overall HSTS protocol. In this video we use Bettercap and different client Web browsers, to simulate man-in-the-middle attacks against websites that are correctly HSTS configured. We will see that the attacks could be successful or not, depending on the Web browser version and capabilities. See below a list of browsers with HSTS capabilities ( Reference:  Wikipedia - HTTP_Strict_Transport_Security ): - Chromium and Google Chrome since version - Firefox since version 4; with Firefox 17, Mozilla integrates a list of websites supporting HSTS. - Opera since version 12 - Safari as of OS X Mavericks - Internet Explorer 11 on Windows 8.1 and Windows 7 when KB 3058515 is installed - Microsoft Edge and Internet Explorer 11 on Wind