Closed jeegarjani closed 5 years ago
You can't bypass HSTS this way. The browser already knows that the site should be served via HTTPS only at the point it shows this warning. This would only help with sites not using hsts and sites the user visits for the first time.
If you want more information about how HSTS works I'd suggest reading the RFC 6797
Then for request sending in Fake dns instead of connection request to Google.com or WhatsApp or other such which use HSTS we can manipulate the script to request connection for tempmail.com and other such sites which doesn't use HSTS so the question of warning message doesn't arrive.
On Fri, 1 Mar 2019, 4:05 pm rad4day, notifications@github.com wrote:
You can't bypass HSTS this way. The browser already knows that the site should be served via HTTPS only at the point it shows this warning. This would only help with sites not using hsts and sites the user visits for the first time.
If you want more information about how HSTS works I'd suggest reading the RFC 6797 https://tools.ietf.org/html/rfc6797
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FluxionNetwork/fluxion/issues/697#issuecomment-468621074, or mute the thread https://github.com/notifications/unsubscribe-auth/At48IMvgJaT_kWkO8kwfxA0MEYlISnnmks5vSQJxgaJpZM4bYgGM .
Sophorn the developer of wifiphisher had mentioned in one of his comments there are various tricks like using evilginx along with wifiphisher to bypass HSTS similarly if we integrate same automation within the tool it can work..is what I think..
There is wifi pumpkin tool also which bypasses HSTS sites.
On Fri, 1 Mar 2019, 4:15 pm Jeegar jani, jeegarjani@gmail.com wrote:
Then for request sending in Fake dns instead of connection request to Google.com or WhatsApp or other such which use HSTS we can manipulate the script to request connection for tempmail.com and other such sites which doesn't use HSTS so the question of warning message doesn't arrive.
On Fri, 1 Mar 2019, 4:05 pm rad4day, notifications@github.com wrote:
You can't bypass HSTS this way. The browser already knows that the site should be served via HTTPS only at the point it shows this warning. This would only help with sites not using hsts and sites the user visits for the first time.
If you want more information about how HSTS works I'd suggest reading the RFC 6797 https://tools.ietf.org/html/rfc6797
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FluxionNetwork/fluxion/issues/697#issuecomment-468621074, or mute the thread https://github.com/notifications/unsubscribe-auth/At48IMvgJaT_kWkO8kwfxA0MEYlISnnmks5vSQJxgaJpZM4bYgGM .
Sslstrip 2 and dns2proxy usage
On Fri, 1 Mar 2019, 4:19 pm Jeegar jani, jeegarjani@gmail.com wrote:
Sophorn the developer of wifiphisher had mentioned in one of his comments there are various tricks like using evilginx along with wifiphisher to bypass HSTS similarly if we integrate same automation within the tool it can work..is what I think..
There is wifi pumpkin tool also which bypasses HSTS sites.
On Fri, 1 Mar 2019, 4:15 pm Jeegar jani, jeegarjani@gmail.com wrote:
Then for request sending in Fake dns instead of connection request to Google.com or WhatsApp or other such which use HSTS we can manipulate the script to request connection for tempmail.com and other such sites which doesn't use HSTS so the question of warning message doesn't arrive.
On Fri, 1 Mar 2019, 4:05 pm rad4day, notifications@github.com wrote:
You can't bypass HSTS this way. The browser already knows that the site should be served via HTTPS only at the point it shows this warning. This would only help with sites not using hsts and sites the user visits for the first time.
If you want more information about how HSTS works I'd suggest reading the RFC 6797 https://tools.ietf.org/html/rfc6797
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/FluxionNetwork/fluxion/issues/697#issuecomment-468621074, or mute the thread https://github.com/notifications/unsubscribe-auth/At48IMvgJaT_kWkO8kwfxA0MEYlISnnmks5vSQJxgaJpZM4bYgGM .
Can u automate ssl2strip, dns2proxy or evilginx in the update so it can bypass HSTS warning while trying connection request in fake dns. I am not a coder but understand where the problem lies...See if u can work out...