Last post Jan 09, 2017 08:01 AM by Jean Sun
Jan 06, 2017 05:35 AM|priyalwalpita|LINK
I am developing a Web application using ASP.Net MVC. I deployed the application in IIS(V8) and now doing the Web app hardening process. I configured the SSL in IIS and the Web app is functioning using SSL only(using secured cookies etc..).
I did some security tests and one test I did was trying to intercept the SSL traffic using a proxy. I used BurpSuite for this test and did install the Burp's certificate in my browser.
I can easily inspect all HTTPS traffic using the Burp tool. I know this is possible only if we install the interceptor's certificate in the client browser. Otherwise it will give the broken SSL notification.
My problem is how we can prevent any interceptor analysing the HTTPS traffic even if someone installs the interceptor's certificate in the client browser?
I heard that if we implement HSTS (HTTP Strict Transport Security) we can resolve this issue.
Jan 09, 2017 08:01 AM|Jean Sun|LINK
The following link shows what is the SSLStrip attack and how attacker perform SSLStrip attack and how to prevent SSLStrip attack. Please take it as reference.