Difference between revisions of "Test HTTP Strict Transport Security (OTG-CONFIG-009)"

From OWASP
Jump to: navigation, search
(Created page with "{{Template:OWASP Testing Guide v4}} == Brief Summary == <br> ..here: we describe in "natural language" what we want to test. <br> == Description of the Issue == <br> ...her...")
 
(Fixed some typos, formatting, slight clean up)
(4 intermediate revisions by 3 users not shown)
Line 4: Line 4:
 
== Brief Summary ==
 
== Brief Summary ==
 
<br>
 
<br>
..here: we describe in "natural language" what we want to test.
+
The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.<br>
 +
Considering the importance of this security measure it is important to verify that the web site is using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.<br>
 
<br>
 
<br>
 
== Description of the Issue ==  
 
== Description of the Issue ==  
Line 11: Line 12:
 
<br>
 
<br>
 
== Black Box testing and example ==
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' <br>
+
'''Testing for the presence of HSTS header:''' <br>
...<br>
+
    $ curl -s -D- <nowiki>https://paypal.com/</nowiki> | grep Strict
 
'''Result Expected:'''<br>
 
'''Result Expected:'''<br>
...<br><br>
+
    Strict-Transport-Security: max-age=14400
 
== References ==
 
== References ==
'''Whitepapers'''<br>
+
* OWASP HTTP Strict Transport Security - https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
...<br>
+
* OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security - http://www.youtube.com/watch?v=zEV3HOuM_Vw
'''Tools'''<br>
+
...<br>
+

Revision as of 16:53, 4 September 2013

This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project

Contents


Brief Summary


The HTTP Strict Transport Security (HSTS) header is a mechanism that web sites have to communicate to the web browsers that all traffic exchanged with a given domain must always be sent over https, this will help protect the information from being passed over unencrypted requests.
Considering the importance of this security measure it is important to verify that the web site is using this HTTP header, in order to ensure that all the data travels encrypted from the web browser to the server.

Description of the Issue


...here: Short Description of the Issue: Topic and Explanation

Black Box testing and example

Testing for the presence of HSTS header:

   $ curl -s -D- https://paypal.com/ | grep Strict

Result Expected:

   Strict-Transport-Security: max-age=14400

References