Report Language Example
The tester observed that several pages on the application were missing the HTTP Strict-Transport-Security (HSTS) header. This header instructs the browser to only load a web site over HTTPS and convert HTTP request attempts to HTTPS. An attacker on the same network as a legitimate user could take advantage of a missing HSTS header to force the use of cleartext HTTP in an attack known as SSL stripping. This would allow the attacker to see and record or modify any traffic associated with a legitimate user’s session.
The tester demonstrated this attack using Burp Suite with the following configurations in place.
Burp Proxy Set to Force Use of TLS
Burp Response Modifications Remove TLS Requirements
With these configurations in place, BHIS was able to force the application to load pages over HTTP. TODO - show some of these.