Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #34773
    Vashisht Boodhun
    Participant

    Basically there are 2 challenges:

    1. Websites that use normal https like zsecurity.org, stackoverflow.com ….etc you should be able to bypass all of these even if accessed directly.

    2. Websites that use HSTS like facebook and twitter, these websites will only load over HTTPS if accessed directly because the browser has a list of famous websites that use HSTS, therefore it will only load them over https, the only way around this is to use the custom hstshijack caplet that Zaid provided, this will only work if the user searches for the website using a search engine that does not use HSTS, for example if they use the local google domain such as google.ie to search for facebook / twitter …etc in this case the script will replace the .com at the end with .corn bypassing the list of famous websites that the browser has and allowing us to downgrade these websites to http.

    Also please don’t forget to remove the browsing data (cache, history…..etc) before doing the attack, you wouldn’t need to do this in a real life scenario but this happens sometimes when you keep accessing the same website over and over across a very short period of time.

    Please don’t hesitate to contact if you need anything else.

    #34852
    Mackendy Charles
    Participant

    thank you Mr. Vashisht

    #34911
    Vashisht Boodhun
    Participant

    You’re welcome, I’m glad we could help:)

    #34992
    obainosteven
    Participant

    problem of failed to acquire the virtual box com object

    #35103
    Vashisht Boodhun
    Participant

    Please open a new discussion in the forum with all the details, and will reply ASAP, for it’s really hard for us to keep track of what several people are doing in the same post.

    Thank you for your comprehension.

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.
Privacy Overview
ZSecurity logo featuring a stylized red letter Z

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics and Linkedin to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookies enabled helps us to improve our website.