DEV Community: CREDO23

Everything You Need to Know About SSL Stripping attacks & HTTP Strict Transport Secure

CREDO23 — Wed, 05 Jul 2023 08:55:23 +0000

Introduction

In the last post, we learnt a lot about SSL/TLS (SSL certificates, SSL handshakes, and so on) and saw how important it is in safeguarding online communication and protecting sensitive data.But i stated that despite the secure connection established by the SSL/TLS protocol, this communication remains vulnerable to malicious attacks because it is over the internet. In this article we are going to talks about SSL attacks, especially the striping attack also known as SSL downgrade or HTTP downgrade attacks; we will cover everything you need to know.

Before I begin, let me discuss the internet vulnerability.

How is the Internet vulnerable?

Many early network protocols that now form part of the Internet infrastructure were designed without security in mind. This was mainly because cybersecurity was not a top priority at the time. Examples of such protocols include HTTP (Hypertext Transfer Protocol), which is used for web browsing, SMTP (Simple Mail Transfer Protocol), which is used for email, and FTP (File Transfer Protocol), which is used for file transfers. These protocols were originally developed with the assumption that all participants on the network were trustworthy, and did not include any mechanisms for authentication, encryption, or integrity protection.

The focus was primarily on making communication between computers possible, and security measures were often considered an afterthought. As a result, attackers can exploit these vulnerabilities to intercept, modify, or steal sensitive data and information.

To address these issues, newer protocols and security protocols such as SSL/TLS (Transport Layer Security), SSH (Secure Shell), and IPsec (Internet Protocol Security) have been developed to provide security services to Internet communications.

However, older protocols that were not designed with security in mind are still in use today, and many organizations continue to rely on them.

💡 As new technologies and applications are being developed, new vulnerabilities and attack vectors emerge, which makes it difficult for security experts to keep up and protect against all potential threats. That is why the internet remains vulnerable.

What is a network attack?

A network attack is an attempt to gain unauthorized access to an organization’s network, with the objective of stealing data or performing other malicious activity. There are two main types of network attacks:

Passive: Attackers gain access to a network and can monitor or steal sensitive information without making any changes to the data, leaving it intact.
Active: Attackers not only gain unauthorized access but also modify data, either deleting, encrypting, or otherwise harming it.

A Brief History of SSL Stripping

The SSL stripping vulnerability was discovered in 2009 by Moxie Marlinspike, a prominent American computer security researcher. He brought out details of how SSL stripping attacks can be executed without anyone ever noticing them making them a serious threat to the digital security of both regular users and businesses.

By the end of this article, you'll have a complete understanding of ****SSL striping attacks.

Let’s goo

What is an SSL stripping attack?

Every connection to a website requires an application protocol, which is either HTTP or HTTPS. HTTP is less secure because it transmits information in plaintext, whereas HTTPS is more secure because it encrypts all information.

SSL stripping attacks are a type of attack in which hackers downgrade a web connection from the more secure HTTPS (Hyper Text Transfer Protocol Secure) to the less secure HTTP (Hyper Text Transfer Protocol).

This attack occurs when the hacker intervenes in the communication as (a man-in-the-middle) between a user and the website server. The hacker sits in the middle of the connection, connecting himself to the target site and connecting the user to their servers. All the traffic from the victim’s machine is routed via a proxy server that is created by the hacker. This allows the hacker to see everything the user sends in unencrypted form.

💡 A proxy server is a server that acts as an intermediary between a client (such as a user's computer) and other servers on the internet. The client sends its requests to the proxy server, which in turn forwards them to the appropriate servers, and vice versa.

How does an SSL stripping attack work?

When you type an address in your browser’s address bar, your browser first connects to the target site over an insecure connection (HTTP). The site then usually responds with a redirect to use a secure protocol (HTTPS) after the SSL handshake succeeds.

What if :

There were a way to get around the SSL handshake ?
- For example, attack the transition from the unsecure connection to the secure connection ?

Yes ! It is possible and that is what we call SSL Stripping attack !

Once hackers have got the traffic (the handshake session), they create a fake valid certificate, mimicking the target web server. To do that, hackers use another type of man-in-the-middle attack to intercept the connection between the legitimate user and the legitimate server, for example ARP spoofing, IP spoofing or DNS cache poisoning.

After inserting themselves in the connection and create a proxy server, if the legitimate user attempt to connect to the legitimate website server, the user will establish a connection with the server fully controlled by the hacker. The hacker’s server then relays all traffic to the target website’s server and back, allowing the hacker to read and modify information along the way.

If the victim wants to use HTTPS when visiting the site, their browser will expect the attacker’s server to present an SSL/TLS certificate for the domain. This requires the attacker to generate a certificate for the target website server and send it to the victim’s browser.

After providing a certificate (fake) to the browser, another challenge is the Certificate Authority ! Browser trusts in certificates signed by a trusted Certificate Authority (CA). If a certificate is not signed by a trusted CA, your browser will show a clear warning and may even refuse to open a page.

💡 Operating systems such as Microsoft Windows and Linux come with a built-in set of trusted Certificate Authorities, but you can always manually add new ones.

For this attack to succeed, hackers need to add their CA to the trusted certificate store in your operating system. This part has to be done through other attack vectors, such as HTTPS Phishing.

Scenario

In this scenario, the target is the foobank.com website, and you are the victim.

The hacker makes a targeted phishing attack against you utilizing JavaScript-related vulnerabilities, causing you to download and install their CA certificate. This allows the hacker to generate TLS/SSL certificates that will be accepted by your browser without warning messages.
The hacker configures their web server to act as a proxy. It accepts all connections to foobank.com and relays them to the real foobank.com website, and does the same with all the responses from the foobank.com website to you.
Your computer is configured to use the DNS caches of your local provider. The hacker performs a DNS cache poisoning (DNS spoofing) attack against your provider’s DNS cache servers, causing your computer’s local cache to store the hacker’s IP address as the IP of foobank*.com*. Until this information expires in your local cache, you will be connecting to the hacker-controlled IP address every time you try to visit foobank.com in your browser.
Now, when you type *https//www.*foobank.com in the address bar, your browser looks up the IP address of *www.*foobank.com in your computer’s local cache and finds the hacker’s IP address. The browser then connects to the hacker’s server and accepts a fake SSL/TLS certificate for foobank.com. No warning is shown because the browser successfully verifies the fake SSL/TLS certificate using the hacker’s CA certificate installed earlier.
Your browser creates an SSL connection to the hacker’s server, and you now have secure, encrypted communications between your browser and the hacker’s server. However, all SSL traffic is decrypted by the hacker, logged and then separately relayed to the real foobank web server via a server-side secure connection. Neither you nor the foobank web server have any way of knowing that this is a MITM attack.

💡 Unfortunately, after inserting their own certificate in your computer by HTTPS Phishing, browsers won’t display any SSL Certificate warning pop-ups, and the victims have no clue that such an attack is going on ☹.

What is HTST ?

HSTS stands for HTTP Strict Transport Security. It is a web security policy mechanism that helps to protect websites against various types of attacks, particularly those related to HTTPS downgrade attacks (striping attacks) and certificate forgery. It prevents hackers from intercepting web traffic and downgrading the connection to HTTP, replacing the secure HTTPS connection with an insecure one. Not only that, but it also protects against attacks where an attacker tries to use fraudulent or forged digital certificates to impersonate an HTTPS website. In the next section we will see how HSTS aids in preventing SSL attacks.

How does HSTS aid in preventing attacks like SSL stripping attacks?

HTTP Strict Transport Security was defined as a standard web security in 2012 in RFC 6797. The primary goal of creating this standard was to help avoid man-in-the-middle (MITM) attacks that use SSL stripping.

Websites using HSTS often do not accept clear text HTTP, either by rejecting connections over HTTP or systematically redirecting users to HTTPS.

When you type foobank.com in your browser and press enter, the browser will first try to use an HTTP tunnel and then the server will respond and redirect to an HTTPS tunnel if SSL handshake succeds. Hackers insert themselves in the communication when the tunnel is ensecure (thus HTTP). So, if we can prevent the browser to use the HTTP tunnel, we can prevent hackers from inserting themselves in the communication as a man-in-the-middle.

The HSTS Policy is communicated by the server to the user agent (browser) via an HTTP response header field named Strict-Transport-Security. HSTS Policy specifies a period of time during which the user should only access the server in a secure tunnel (HTTPS).

But this protection applies after a user has visited the site at least once, using the principle of "trust on first use". The way this protection works is that when a user enter or select a URL to the site that specifies HTTP, the user will be redirected directely to HTTPS before making a request to the website server, which prevents the HTTP man-in-the-middle attack from occurring.

💡 Trust on first use (TOFU), or trust upon first use (TUFU), is an authentication scheme used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look up the endpoint's identifier, usually either the public identity key of the endpoint, or the fingerprintof said identity key, in its local trust database. If no identifier exists yet for the endpoint, the client software will either prompt the user to confirm they have verified the purported identifier is authentic, or if manual verification is not assumed to be possible in the protocol, the client will simply trust the identifier which was given and record the trust relationship into its trust database. If in a subsequent connection a different identifier is received from the opposing endpoint, the client software will consider it to be untrusted.

The Strict-Transport-Security header gives specific instructions to the browser.

A server send a header field such that future requests to the domain for the next year use only HTTPS: Strict-Transport-Security: max-age=31536000.

So, from now on, every connection to the site and its subdomains for the next year (31536000 seconds from the moment this header is received) must be an HTTPS connection. HTTP connections are not allowed at all. If the browser receives a request to load a resource using HTTP, it must try an HTTPS request instead. If HTTPS is not available, the connection must be terminated.

When a web application issues HSTS Policy to user agents, conformant user agents behave as follows :

Automatically turn any insecure links referencing the web application into secure links (e.g. http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server).
If the security of the connection cannot be ensured (e.g. the server's TLS Certificate is not trusted), the user agent must terminate the connection and should not allow the user to access the web application.

💡 This will work only if the hacker didn’t strip the header on the first visit to the site.

Conclusion

It is crucial for both website owners and internet users to be aware of the potential threat posed by SSL stripping attacks and the importance of implementing HSTS (HTTP Strict Transport Security).

By enabling HSTS (HTTP Strict Transport Security) on websites, users' browsers are instructed to only establish secure TLS/SSL connections, thereby mitigating the risks of SSL stripping attacks. HSTS accomplishes this by informing the browser to remember and automatically upgrade any non-secure HTTP requests to HTTPS, ensuring end-to-end encryption.

I hope you found the information I provided to be useful. I constantly make an effort to deliver the highest quality information.

I want to thank you one again for reading. I much appreciate your support and being here!

Regards,

Understanding SSL/TLS: The Key to Secure Online Communication

CREDO23 — Tue, 06 Jun 2023 06:46:40 +0000

Introduction

With the increasing use of internet for various activities such as online shopping, banking, social networking, etc; security has become crucial for users.

When a client is communicating with a server, there can be a transfer of sensitive information such as login credentials, credit card information or others information that are supposed to be private ! In that case, the communication must be secure.

One of the critical components of online security is SSL. In this article, We are going to learn how does SSL work, and in the next article we will see how it can be compromised by hackers and how to protect it against stripping attacks.

What is SSL / TLS

SSL stands for Secure Socket Layer, a security protocol that establish a secure and safe connection between two systems.

It makes sure that any information transferred between two systems is not readable by using encryption algorithms to scramble it.

💡 TLS stands for Transport Layer Security. It is just an update of SSL. It is more secure. So as much as we will discuss SSL and continuously refer to it throughout this article, we will also discuss TLS.

In this article, we are going to focus on Client - Server system. A communication between a web browser (chrome, Firefox, ...) as a client and a web server.

The basic of Client *- Server Communication**

The communication between web browsers and web servers is the foundation of the internet.

It is just a simple request-response process in which the browser requests information from the server and the server responds with the requested information. This communication is facilitated by a set of protocols.

💡 Protocols are the rules and standards that govern the communication between two systems.

The most commonly protocol used for web browser and web server communication is the Hyper Text Transfer Protocol (HTTP).

This communication is essential for the functioning of the internet, but it also presents some **challenges.* As this communication is done over the internet, it is vulnerable to malicious attacks. One of the biggest challenges is ensuring that the communication between those two systems is secure.*

How does the SSL / TLS work ?

As discussed, the primary purpose of SSL is to provide a secure transport-layer connection between two endpoints. In our case, between a website server and the client browser.

When the browser is trying to interact with a secured web server via the SSL protocol, an SSL certificate is needed to ensure that a secure connection is established. If the certificate is valid, the browser said to be “SSL enabled”, it will have a padlock icon just before the URL and will begin with “HTTPS” rather than “HTTP”.

What is an SSL certificate ?

An SSL certificate is a file hosted in the website’s server, it contains :

The domain name that the certificate was issued for
Which person, organization, or device it was issued to
Which certificate authority issued it (CA)
The certificate authority's digital signature
Associated subdomains
Issue and expiration date of the certificate
The public key

To view an SSL certificate's details, you can click on the padlock symbol located within the browser bar.

If a device tries to communicate with this server (secured), the device will use this file to obtain the information listed out above.

Now, we know what is an SSL certificate and its content; let’s see how a secure connection take place:

The process works like this:

A browser attempts to connect to a server (secured with SSL).
The browser requests that the server identifies itself (request the SSL certificate).
The server sends the browser a copy of its SSL certificate in response.
The browser checks to see whether it trusts the SSL certificate. If it does, it signals this to the server.
The server then returns a digitally signed acknowledgment to start an SSL encrypted session.

💡 This process is called “SSL handshake” and it takes place in milliseconds.

The SSL/TLS Handshake

Let’s understand some SSL/TLS terminologies before delve into the specifics of SSL/TLS handshake :

Cipher suite

A cipher is a cryptographic algorithm, a procedure used to encrypt and decrypt data.

Ciphers operate by encrypting the original message (plaintext) via the algorithm’s rules (i.e., the encryption key) to produce what’s known as ciphertext. The ciphertext contains all the information of the original plaintext message but appears as a random string of data. It cannot be read by anyone who doesn’t have the key.

The cipher use a symmetric encryption (when the same key is used for both encryption and decryption), or an asymmetric encryption (when different keys are used for encryption and decryption).

A cipher suite is just a suite of cipher 🙃, in our case:

Key exchange algorithms, such as RSA, DH, ECDH, DHE, ECDHE, or PSK : to exchange keys securely.
Authentication/Digital Signature algorithm, like RSA, ECDSA, or DSA : to ensure that a message was sent by an entity that claims to have sent it, to ensure that the message has not been modified.
Bulk encryption algorithms, like AES, CHACHA20, Camellia, or ARIA : to encrypt messages *exchanged *between *clients *and ****servers, it is a more secured way to encrypt a large amount of data.
Message Authentication Code algorithms, such as SHA-256, and POLY1305 : to authenticate a message, to confirm that the message came from the stated sender and has not been changed.

During the handshake, the browser and the server will agree about a cipher suite to use (set of algorithms) to establish a secure connection. If the client and server do not agree on a cipher suite, no connection will be made. Once the cipher suite is agreed upon, they will proceed with the key exchange.

*Authentication*

Authentication lets each party in a communication verify that the other party is who they say they are.

The client uses the server’s certificate to authenticate the identity the certificate claims to represent.

To authenticate the server, the client must receive a YES answer to these questions:

Is today’s date within the validity period?
Is the issuing CA a trusted CA?
Does the issuing CA’s public key validate the issuer’s digital signature?
Does the domain name in the server’s certificate match the domain name of the server itself?

💡 A CA is an outside organization, a trusted third party, that generates and gives out SSL certificates. The CA will also digitally sign the certificate with their own private key, allowing client devices to verify it.

We've got a grasp on what a cipher is and how the client authenticates the server, so let's have a look at the process of SSL/TLS handshake.

The procedure for establishing an SSL/TLS connection depends on the encryption method employed, but the fundamental procedure is as follows:

The SSL client will send the server a “Client Hello” message that details the client’s configuration settings, including the SSL/TLS version, the cipher suites it supports, and a string of random data referred to as “client random.”
The SSL server sends back a “Server Hello” message containing its own public key, digital certificate, the cryptographic algorithm agreement (selected by the server from the client-supplied list of algorithms), and the “server random”.
The client performs authentication by contacting the server’s certificate authority (CA) to validate the web server’s digital certificate. This confirms the authenticity of the web server, thus, establishing trust.
The client uses the extracted public key from the verified certificate and generates a 48-bit string called the premaster secret. The premaster secret is then encrypted using the extracted public key and is sent to the server. The premaster secret will be used for both client and server to generate the symmetric keys used for the secured session.
The SSL/TLS server decrypts the premaster secret using its private key.
Both client and server generate session keys from the client random, the server random, and the premaster secret. They should arrive at the same results (a shared key).
Next, the client sends an encrypted “finished” message using the shared secret key. This message says that the client’s part of the handshake is complete.
Finally, an encrypted “finished” message is sent back to the client from the server using the previously agreed shared secret key, which indicates the end of the server’s side of the handshake.
Once the SSL/TLS handshake and negotiation is done, the server and the client communication continues, i.e., they begin to share files and messages using the session keys (symmetric encryption).

Conclusion

SSL/TLS plays a crucial role in securing online communication and protecting sensitive data. It is important for websites and applications to implement SSL/TLS protocols to ensure the trust and confidence of users. As technology advances, it is also important to stay up-to-date with the latest SSL/TLS versions and best practices to maintain a secure online environment.

I hope that the information I have shared has been informative, helpful and thought-provoking. I always strive to provide the best content possible.

Once again, thank you so much for reading. Your presence and support mean a lot to me!

See you soon!

Best regards,

How to validate form inputs in an Expressjs app with joi package

CREDO23 — Mon, 31 Oct 2022 19:06:37 +0000

This tutorial requires knowledge of using the expressjs framework

If you have been building web applications using an Express framework or any other Node.js framework, validation plays a crucial role in any web app which requires you to validate the request body.

Why do we need server-side validation?

The client side validation is not enough , it is within reach of the client.
A user can turn off client-side JavaScript validation and manipulate the data.

In this tutorial, you’ll learn how to validate form in an Express.js app using an open source and popular module called joi. We will be able to avoid data type errors that can be done by a client .

Introduction to joi

The definition on the official web site says :

joi lets you describe your data using a simple, intuitive, and readable schema.

General use of joi

Usage is a two steps process:

First, a schema is constructed using the provided types and constraints:

           const schema = Joi.object({
                a: Joi.string(),
                b: Joi.number(),
                c: Joi.string().email()
           });

Note that joi schema objects are immutable which means
every additional rule added (e.g. .min(5)) will return a
new schema object.

Second, the value is validated against the defined schema:

           const result = schema.validate({ 
                a: 'a string' 
                b: 243
                c: 'bakerathierry@gmail.com'
            });

If the input is valid, then req.body will be assigned to
result.
If the input is invalid, an explicit error will be thrown
and assigned to result.

In this tutorial we will be using its asynchronous
validation method validateAsync

Let's take a look at a basic user route without any validation module to create a user: /route/user

   router.post('/', userController.createUser)

Now in user controller ./controllers/user

   const User = require('./models/user')

   exports.createUser = (req, res, next) => {

   try{

      const { userName, email, phone, status } = req.body

      if (userName && phone && email)) { 

         const newUser = new User({...req.body})

         const savedUser = newUser.save()

         if(savedUser){

            res.json({
             msg : 'User created successfully',
             data : savedUser,
             error : null,
             success : true
             }))

         }
     }

      }catch(error){
        next(error)
      }
  };

The above code is just a basic example of validating fields on your own.

You can handle some validations in your user model using Mongoose. For best practices, we want to make sure validation happens before business logic.

joi will take care of all these validations and the sanitization of inputs as well.

Installation

With npm

   npm insatll joi --save

With Yarn

   yarn add joi

Now , let's create a separate file in validation folder which content our schema validation , we have to include the validation module (joi) in this file.

   const joi = require('joi')

   const userSchema = joi.object({
            userName : Joi.string().required(),
            phone : Joi.number().optionnal(),
            email : Joi.string().email().required()
         });

  module.exports = userSchema

For more details about joi , go to joi

In this schema , we mention that :

the userName must be :

a string ( .string( ) )

required ( .required() )

the phone number must be :

a number ( .number( ) )

the email must be :

a string ( .string( ) )

a valid email ( .email( ) )

required ( .required( ) )

As you can see we use .optional( ) method to mention that the field can be missed ( not required )

** Now we can use our schema whenever we want in the app . **

Let's use that in the user controller /controllers/user :

   const User = require('./models/user')
   const userRegisterValidation = 
         require('./validation/userRegister')

   exports.createUser = async (req, res, next) => {

   try{

      const result =         
          await 
          userRegisterValidation.validateAsync({...req.body})

      if (result) { 

         const newUser = new User({...result})

         const savedUser = newUser.save()

         if(savedUser){

            res.json({
             msg : 'User created successfully',
             data : savedUser,
             error : null,
             success : true
             }))

         }
     }

      }catch(error){
        next(error)
      }
  };

If email is missed , a validation error will be thrown :


    error : {
              message : " The email is required "
            }

If phone is not a number :


    error : {
              message : " The phone must be a number "
            }

And so one ...

As you can see this module ( joi ) is helpful when it becomes to validate the client's form in server side , it maintain the code quality as well , but focused on business logic .

I have tried my best and hope I covered enough to explain it so that you can get started.

If you encounter any problems, feel free to comment below.
I would be happy to help :)

DEV Community: CREDO23

Everything You Need to Know About SSL Stripping attacks & HTTP Strict Transport Secure

Introduction

How is the Internet vulnerable?

What is a network attack?

A Brief History of SSL Stripping

What is an SSL stripping attack?

How does an SSL stripping attack work?

Scenario

What is HTST ?

How does HSTS aid in preventing attacks like SSL stripping attacks?

Conclusion

Understanding SSL/TLS: The Key to Secure Online Communication

Introduction

What is SSL / TLS

The basic of Client - Server Communication*

How does the SSL / TLS work ?

What is an SSL certificate ?

The SSL/TLS Handshake

Conclusion

How to validate form inputs in an Expressjs app with joi package

Why do we need server-side validation?

Introduction to joi

General use of joi

Installation

The basic of Client *- Server Communication**