False Positive
HTTP/1.1 302 Found =>
Date => Thu, 02 Jun 2016 16:43:56 GMT
Server => Apache
Strict-Transport-Security => max-age=86400
Location => https://aa.xxxxxx.in/index.php
Content-Length => 291
Connection => close
Content-Type => text/html; charset=iso-8859-1
Missing 'Strict-Transport-Security' header 1
The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either of these encryption standards are used, it is referred to as HTTPS.
HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. This will be enforced by the browser even if the user requests a HTTP resource on the same server.
Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTTP. This can be conducted via various Man-in-The-Middle (MiTM) attacks or through network packet captures.
Arachni discovered that the affected application is using HTTPS
however does not use the HSTS header.
(CWE)
HAD to do a network level intervention to find this.
been on it.. since yesterday ...
And .. well.. it happens.. :)
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 02 Jun, 2016 04:59 PM
Hello,
Can you please post this issue at the appropriate tracker?
This is strictly a support portal, not an issue tracker.
Also, please include the response Arachni had associated with this issue.
Cheers
Tasos Laskos closed this discussion on 02 Jun, 2016 04:59 PM.