Suggestion to Bypass HSTS!! #697
Comments
|
You can't bypass HSTS this way. The browser already knows that the site should be served via HTTPS only at the point it shows this warning. This would only help with sites not using hsts and sites the user visits for the first time. If you want more information about how HSTS works I'd suggest reading the RFC 6797 |
|
Then for request sending in Fake dns instead of connection request to
Google.com or WhatsApp or other such which use HSTS we can manipulate the
script to request connection for tempmail.com and other such sites which
doesn't use HSTS so the question of warning message doesn't arrive.
…On Fri, 1 Mar 2019, 4:05 pm rad4day, ***@***.***> wrote:
You can't bypass HSTS this way. The browser already knows that the site
should be served via HTTPS only at the point it shows this warning. This
would only help with sites not using hsts and sites the user visits for the
first time.
If you want more information about how HSTS works I'd suggest reading the RFC
6797 <https://tools.ietf.org/html/rfc6797>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#697 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/At48IMvgJaT_kWkO8kwfxA0MEYlISnnmks5vSQJxgaJpZM4bYgGM>
.
|
|
Sophorn the developer of wifiphisher had mentioned in one of his comments
there are various tricks like using evilginx along with wifiphisher to
bypass HSTS similarly if we integrate same automation within the tool it
can work..is what I think..
There is wifi pumpkin tool also which bypasses HSTS sites.
…On Fri, 1 Mar 2019, 4:15 pm Jeegar jani, ***@***.***> wrote:
Then for request sending in Fake dns instead of connection request to
Google.com or WhatsApp or other such which use HSTS we can manipulate the
script to request connection for tempmail.com and other such sites which
doesn't use HSTS so the question of warning message doesn't arrive.
On Fri, 1 Mar 2019, 4:05 pm rad4day, ***@***.***> wrote:
> You can't bypass HSTS this way. The browser already knows that the site
> should be served via HTTPS only at the point it shows this warning. This
> would only help with sites not using hsts and sites the user visits for the
> first time.
>
> If you want more information about how HSTS works I'd suggest reading the RFC
> 6797 <https://tools.ietf.org/html/rfc6797>
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#697 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/At48IMvgJaT_kWkO8kwfxA0MEYlISnnmks5vSQJxgaJpZM4bYgGM>
> .
>
|
|
Sslstrip 2 and dns2proxy usage
https://youtu.be/9RPCSVcCv1w
…On Fri, 1 Mar 2019, 4:19 pm Jeegar jani, ***@***.***> wrote:
Sophorn the developer of wifiphisher had mentioned in one of his comments
there are various tricks like using evilginx along with wifiphisher to
bypass HSTS similarly if we integrate same automation within the tool it
can work..is what I think..
There is wifi pumpkin tool also which bypasses HSTS sites.
On Fri, 1 Mar 2019, 4:15 pm Jeegar jani, ***@***.***> wrote:
> Then for request sending in Fake dns instead of connection request to
> Google.com or WhatsApp or other such which use HSTS we can manipulate the
> script to request connection for tempmail.com and other such sites which
> doesn't use HSTS so the question of warning message doesn't arrive.
>
> On Fri, 1 Mar 2019, 4:05 pm rad4day, ***@***.***> wrote:
>
>> You can't bypass HSTS this way. The browser already knows that the site
>> should be served via HTTPS only at the point it shows this warning. This
>> would only help with sites not using hsts and sites the user visits for the
>> first time.
>>
>> If you want more information about how HSTS works I'd suggest reading
>> the RFC 6797 <https://tools.ietf.org/html/rfc6797>
>>
>> —
>> You are receiving this because you authored the thread.
>> Reply to this email directly, view it on GitHub
>> <#697 (comment)>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/At48IMvgJaT_kWkO8kwfxA0MEYlISnnmks5vSQJxgaJpZM4bYgGM>
>> .
>>
>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Can u automate ssl2strip, dns2proxy or evilginx in the update so it can bypass HSTS warning while trying connection request in fake dns. I am not a coder but understand where the problem lies...See if u can work out...
The text was updated successfully, but these errors were encountered: