False Positive

Rajesh Sharma's Avatar

Rajesh Sharma

02 Jun, 2016 04:52 PM

HTTP/1.1 302 Found =>
Date => Thu, 02 Jun 2016 16:43:56 GMT
Server => Apache
Strict-Transport-Security => max-age=86400
Location => https://aa.xxxxxx.in/index.php
Content-Length => 291
Connection => close
Content-Type => text/html; charset=iso-8859-1


Missing 'Strict-Transport-Security' header 1

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed. To keep data private and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). When either of these encryption standards are used, it is referred to as HTTPS.

HTTP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only communicate via HTTPS. This will be enforced by the browser even if the user requests a HTTP resource on the same server.

Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTTP. This can be conducted via various Man-in-The-Middle (MiTM) attacks or through network packet captures.

Arachni discovered that the affected application is using HTTPS however does not use the HSTS header.
(CWE)

HAD to do a network level intervention to find this.
been on it.. since yesterday ...
And .. well.. it happens.. :)

  1. Support Staff 1 Posted by Tasos Laskos on 02 Jun, 2016 04:59 PM

    Tasos Laskos's Avatar

    Hello,

    Can you please post this issue at the appropriate tracker?
    This is strictly a support portal, not an issue tracker.

    Also, please include the response Arachni had associated with this issue.

    Cheers

  2. Tasos Laskos closed this discussion on 02 Jun, 2016 04:59 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac