Finding: Strict Transport Security Not Enforced (RFC 6797) – CWE-523
Description:
The web server is not enforcing HTTP Strict Transport Security (HSTS), a critical web security policy mechanism defined in RFC 6797. HSTS allows web servers to declare that user agents (e.g., browsers) should only interact with it over secure HTTPS connections, thereby preventing downgrade attacks and cookie hijacking over insecure HTTP.
Risk:
Without HSTS, users may unknowingly make HTTP requests, exposing session cookies and sensitive data to interception via man-in-the-middle (MITM) attacks. Attackers can exploit this gap especially on open or public Wi-Fi networks.
CWE-523: Unprotected Transport of Credentials
This vulnerability is related to the transport of credentials and other sensitive data without enforcing a secure channel.
Remediation Plan for IIS
Objective:
Enable and enforce HTTP Strict Transport Security (HSTS) on IIS-hosted websites to ensure all communication occurs over HTTPS.
Step 1: Prerequisites
– Confirm the site is already served over HTTPS with a valid SSL/TLS certificate.
– Ensure all HTTP requests are redirected to HTTPS to avoid mixed content or accessibility issues.
Step 2: Add HSTS via HTTP Response Headers
- Option A: Using IIS Manager (GUI)
- Open IIS Manager.
2. Navigate to your site under ‘Sites’.
3. Double-click HTTP Response Headers.
4. Click Add… and input:
– Name: Strict-Transport-Security
– Value: max-age=31536000; includeSubDomains; preload
5. Click OK to apply.
- Option B: Using Web.config
Add the following inside the <system.webServer> section of your Web.config:
<httpProtocol>
<customHeaders>
<add name=”Strict-Transport-Security” value=”max-age=31536000; includeSubDomains; preload” />
</customHeaders>
</httpProtocol>
Explanation of Header Components:
– max-age=31536000: Enforce HTTPS for 1 year (in seconds).
– includeSubDomains: Apply policy to all subdomains.
– preload: Indicates intent to submit the domain to HSTS preload lists.
Step 3: Redirect HTTP to HTTPS
- Option A: HTTP Redirect in IIS
– Select the site, go to HTTP Redirect, enable it, and set the destination to your HTTPS URL.
- Option B: Rewrite Rules
Use the URL Rewrite module:
<rewrite>
<rules>
<rule name=”Redirect to HTTPS” stopProcessing=”true”>
<match url=”(.*)” />
<conditions>
<add input=”{HTTPS}” pattern=”off” ignoreCase=”true” />
</conditions>
<action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” redirectType=”Permanent” />
</rule>
</rules>
</rewrite>
Step 4: Test Implementation
Use tools such as:
– SSL Labs (https://www.ssllabs.com/ssltest/)
– curl -I https://yourdomain.com (Confirm presence of the Strict-Transport-Security header)
Step 5: (Optional) Submit Domain to HSTS Preload List
Once the policy is stable, you may submit the domain at:
https://hstspreload.org/
Verification: How to Confirm HSTS is Properly Enforced
After implementing the HSTS policy, it’s important to validate that the configuration is correctly applied and functioning as intended. Use the following steps to confirm the remediation:
- Use curl to inspect the response headers:
Run the following command:
`curl -I https://yourdomain.com`
Look for the `Strict-Transport-Security` header in the output. It should match the expected value:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
- Use SSL Labs Test:
– Visit: https://www.ssllabs.com/ssltest/
– Enter your domain and start the test.
– Check the ‘HTTP Strict Transport Security (HSTS)’ section to verify correct setup.
- Use a browser with developer tools:
– Open your site in Chrome or Firefox.
– Open Developer Tools (F12), go to the Network tab.
– Refresh the page and click on your HTTPS request.
– Check the ‘Response Headers’ for the presence of `Strict-Transport-Security`.
- Test HTTP to HTTPS redirection:
– Navigate to http://yourdomain.com (without HTTPS).
– Confirm that it automatically redirects to https://yourdomain.com using a 301 or 302 status code.
- Optional: Check HSTS preload status:
– Visit: https://hstspreload.org/
– Enter your domain to check preload status or submit it for inclusion.