Automattic: Missing HSTS header in

ID H1:20072
Type hackerone
Reporter mohaab007
Modified 2014-08-16T22:51:42



Vulnerable Website:

I tested the website using firefox add-on called: Strict Transport Security Detector

HSTS addresses the following threats:

User bookmarks or manually types and is subject to a man-in-the-middle attacker:

 HSTS automatically redirects HTTP requests to HTTPS for the target domain

Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP:

 HSTS automatically redirects HTTP requests to HTTPS for the target domain

A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate:

 HSTS does not allow a user to override the invalid certificate message

more :

HSTS mitigates the following threats.

  1. HTTP request to an HTTPS site

For example: 1. User wants to visit 2. User types into the address bar 3. Browser automatically appends "http://" making the following request: 4. Server responds with 301 (permanent redirect) to the following location: 5. Browser makes request to above URL

The above scenario allows for a man-in-the-middle attack as a result of the unintentional HTTP request to An attacker can leverage a tool such as ssltrip to transparently hijack the HTTP request prior to the 301 redirect. HSTS eliminates this attack window as long as the user previously accessed over HTTPS and obtained the HSTS header.

Even with HSTS enabled, a user's initial request to would remain unprotected from attacks. As a result, both Chrome and Mozilla introduced HSTS preload lists. If is on Chrome's HSTS preload list, a freshly installed Chrome browser will only allow secure connections to that site, even if the user never accessed it before. 2. Insecure link referencing an HSTS enabled site

For example: 1. includes a link to 2. HSTS will automatically convert the link to HTTPS for the HSTS-enabled site 3. Invalid Certificate

The following would be considered invalid certificates: - Self-signed and/or untrusted CA signed certificate - Expired - Wrong name specified