Insecure HTTP Usage

Summary#

Invicti identified that the target website allows web browsers to access to the website over HTTP and doesn't redirect them to HTTPS.

HSTS is implemented in the target website however HTTP requests are not redirected to HTTPS. This decreases the value of HSTS implementation significantly.

For example visitors who haven't visited the HTTPS version of the website previously will not be able to take advantage of HSTS.

Impact#

Users will not be able to take advantage of HSTS which almost renders the HSTS implementation useless. Not having HSTS will make MITM attacks easier for attackers.

If there is a client side redirect to HTTPS version of the website (via JavaScript or Meta tags) then you can ignore this vulnerability.

Remediation#

Configure your webserver to redirect HTTP requests to HTTPS.

i.e for Apache, you should have modification in the httpd.conf. For more configurations, please refer to External References section.

# redirect all HTTP to HTTPS
<VirtualHost *:80>
       ServerAlias *
       RewriteEngine On
       RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>

Classifications#

ISO27001-A.14.1.3, WASC-4, CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, OWASP 2017-A3, OWASP 2013-A5

Invicti Security Insights

Insecure HTTP Usage

Related Articles

Build your resistance to threats. And save hundreds of hours each month.