SSLstrip: Force HTTPS Redirect

TL;DR

You’ve got a website redirecting HTTP to HTTPS (usually with a 301 permanent redirect), and you want to use SSLstrip to intercept traffic. This guide shows how to bypass the cache and force SSLstrip to work.

Solution Guide

1. Understand the Problem: A 301 redirect tells browsers to permanently remember to go directly to the HTTPS version of your site. This means even if you try to access it via HTTP, the browser won’t ask your server; it will automatically connect to HTTPS. SSLstrip needs an initial HTTP connection to work its magic.
2. Clear Browser Cache: The first step is to clear your browser’s cache completely. This forces a fresh request to your server instead of using the cached redirect information. The method varies by browser:
   • Chrome/Edge: Press Ctrl+Shift+Delete (or Cmd+Shift+Delete on Mac). Select ‘Cached images and files’ and clear everything from ‘All time’.
   • Firefox: Press Ctrl+Shift+Delete. Select ‘Cache’ and clear everything from ‘Everything’.
3. Flush DNS Cache (Optional, but Recommended): Sometimes your operating system caches DNS information too. Flushing this can help.
   • Windows: Open Command Prompt as administrator and run

     ipconfig /flushdns

   • macOS/Linux: Open Terminal and run

     sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

     (you’ll need your password).

4. Use a Different Browser or Incognito Mode: If clearing the cache doesn’t work, try a different browser entirely. Alternatively, use your current browser’s incognito/private browsing mode. These modes typically don’t use existing caches.
5. Test with `curl` (For Verification): Use `curl` to confirm if the redirect is still happening before involving SSLstrip. The `-I` flag shows only the headers, which will reveal any redirects.

   curl -I http://yourwebsite.com

   If you see a 301 response with a Location header pointing to HTTPS, the redirect is active.

6. Modify Your Server Configuration (Temporary): The most reliable solution is to temporarily disable or comment out the HTTP-to-HTTPS redirect rule in your web server configuration file. This allows SSLstrip to intercept the initial HTTP request.
   • Apache: Find the relevant RewriteRule directive in your `.htaccess` or virtual host file and comment it out (add a `#` at the beginning of the line).
   • Nginx: Locate the server { ... } block for port 80 and comment out the redirect configuration.

   Important: Remember to re-enable the redirect after you’ve finished testing with SSLstrip!

7. Start SSLstrip: Now that the redirect is bypassed, start SSLstrip using your preferred method. For example:

   sslstrip -l 8080

8. Configure Your Proxy (if needed): If you’re not running SSLstrip directly on the target machine, configure your browser to use a proxy server pointing to the IP address and port where SSLstrip is listening (e.g., 127.0.0.1:8080).
9. Access Your Website via HTTP: Finally, access your website using HTTP in your browser. SSLstrip should now intercept the traffic and downgrade it to plain text.