HSTS & Pinning Bypass: Lookalike Domains

TL;DR

This guide shows how attackers can bypass HSTS (HTTP Strict Transport Security) and Public Key Pinning using lookalike domains. We’ll cover techniques like punycode manipulation, IDN homograph attacks, and subdomain takeover to redirect traffic to malicious sites.

Understanding the Attacks

Both HSTS and Public Key Pinning are security mechanisms designed to protect against man-in-the-middle (MITM) attacks. However, they rely on correct domain names being enforced. Attackers can exploit weaknesses in how browsers handle domains.

1. Punycode Manipulation

Punycode is a way to represent Unicode characters using only ASCII characters for compatibility with older systems. Attackers can create lookalike domains by exploiting punycode encoding differences.

1. Identify Target Domain: Let’s say the target domain is example.com.
2. Find Punycode Equivalent: Use an online tool or command-line utility to find the punycode representation of a similar-looking Unicode domain. For example, using Cyrillic characters might result in something like xn--examp1e-4acf.com (this is just illustrative; actual results vary).
3. Register Lookalike Domain: Register the lookalike domain if it’s available.
4. MITM Attack: A MITM attacker can intercept traffic and redirect requests intended for example.com to the punycode domain, potentially bypassing HSTS if the browser doesn’t correctly normalize the domain name.

dig example.com +trace #Check DNS records of target domain

2. IDN Homograph Attacks

IDN (Internationalized Domain Names) allow domains to be registered using characters from different languages. Homographs are characters that look visually similar but have different Unicode values.

1. Identify Target Domain: Again, let’s use example.com as an example.
2. Find Homographic Characters: Find Unicode characters that resemble the letters in the target domain (e.g., using Cyrillic ‘а’ instead of Latin ‘a’).
3. Register Lookalike Domain: Register a domain name with these homographic characters (e.g., examp1e.com using Cyrillic ‘а’). Note that many registrars now block obvious homograph attacks, but subtle variations can still work.
4. MITM Attack: Similar to punycode manipulation, a MITM attacker redirects traffic to the lookalike domain.

Browsers are getting better at detecting these, but it’s still possible.

3. Subdomain Takeover

Subdomain takeover happens when a subdomain (e.g., blog.example.com) points to a service that is no longer in use and has been abandoned by its original owner. Attackers can claim these subdomains.

1. Identify Subdomains: Use tools like sublist3r or online subdomain finders to discover subdomains of the target domain.
2. Check DNS Records: Look for subdomains pointing to services like Heroku, AWS S3 buckets, or other cloud providers.
3. Claim Subdomain: If a subdomain points to an abandoned service, you can often claim it by creating an account with that provider and configuring the subdomain to point to your own server.
4. Redirect Traffic: Configure the taken-over subdomain to redirect traffic to a malicious site. This bypasses HSTS because the main domain’s policy doesn’t apply to subdomains you control.

sublist3r -d example.com #Find subdomains of example.com

4. Combining Techniques

Attackers often combine these techniques for greater success.

• Punycode + Subdomain Takeover: Take over a subdomain and then use punycode manipulation to redirect traffic from the main domain to the taken-over subdomain.
• IDN Homograph + HSTS Bypass: Register a homographic domain and exploit weaknesses in browser normalization to bypass HSTS.

Mitigation

• Strict Domain Validation: Implement robust domain validation on both the client and server sides.
• HSTS Preloading: Submit your domains to HSTS preload lists (but ensure all subdomains are properly secured).
• Public Key Pinning with Careful Monitoring: Implement Public Key Pinning, but monitor for changes in certificate authorities or pinning configurations. Be aware of the risks if a pin becomes invalid.
• Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities.
• Subdomain Monitoring: Monitor your subdomains for unauthorized takeovers.