THE JOURNAL OF KMUTNB Volume 33, No. 02, Month APRIL, Year 2023, Pages -
Problem analysis of hsts malfunction and ssl stripping attack
Paradet Khachenrum, Darunee Puangpronpitag, Somnuk Puangpronpitag, Egachai Puangpronpitag
Abstract Download PDFSSL stripping attack was one of the most notorious techniques to hack HTTPS websites. So, HTTP Strict Transport Security (HSTS) mechanism had been proposed and deployed to subdue the attack. However, a few recent studies have shown that the old SSL stripping attack could be deployed to effectively attack several on-line banking and e-commerce web sites again even with HSTS configuration. Hence, this paper investigates and analyzes reasons behind the malfunction of HSTS and the return of SSL stripping attacks. To analyze the problem, testbed experiments on 11 Thai online banking, 4 e-commerce websites and 2 volunteer websites, an analysis of HTTP response headers and hacker’s scripts are done. The cause of problems has finally been analyzed and the solutions are suggested.
HTTP Strict Transport Security (HSTS) Mechanism; SSL Stripping Attack; Web Security