Intercepting HSTS protected traffic using Burp suite and Firefox

The term HSTS stands for “HTTP Strict Transport Security”. It is a security HTTP response header which can be used to enhance the security of  web applications. HSTS redirects all the HTTP requests to HTTPS for the target web application. Also HSTS does not allow an attacker to intercept the traffic from the user using an invalid SSL certificate.

From a security tester’s perspective it causes a lot of issues. It will not allow the security testers to use Burp’s certificate and intercept the traffic in an ease manner. In early days the browsers used to show a warning to the users and allowed exceptions;But nowadays browsers blocks the target web sites entirely.
Refer the following screenshot:

Refer the below screenshot for Strict Transport security response header:

How to intercept HSTS enabled web application traffic effectively?

1. Trying multiple browsers

If you are using Mozilla Firefox then, try using Chrome or Opera. Older versions of some browsers does not work well with HSTS headers, and disables HSTS enforcement.
Internet Explorer version 11 and below does not enforce HSTS headers.
Firefox / Chrome / Opera supports HSTS from earlier versions.
Refer the below screenshot from caniuse.com for a list of browsers which supports HTTP Strict Transport Security (HSTS) and which doesn’t.

2. Using Burp Certificate

Second solution is to install Burp’s CA in our browser as Root CA.
If you are familiar with Burp suite, you would know already, how to do this. Else please refer this link from Portswigger website.
While you do this for Firefox, please don’t forget to check the “Trust this CA to identify websites” checkbox as shown in below screenshot:

3. Tweaking Firefox to work with HSTS

To test HSTS based web applications effectively, we can made some configuration changes in Firefox so that it’ll ignore HSTS checks at browser’s end.

 Navigate to firefox config page using about:config
 Right click and create a new Integer;
 Enter the Preference name as test.currentTimeOffsetSeconds
 Enter the integer value as 11491200 or greater
 (11491200 seconds equal to 19 weeks)
 
 Clear the cache, Browsing history and restart firefox

It would look like the below screenshot:

This config will set the preload list expiration checking time to 19 weeks / 11491200 seconds. Therefore no expiration checking happens and browsers will be able to ignore HSTS enforcement.

Believe me, it would to be messy sometimes. But, at the end it is possible to intercept traffic from HSTS enforced web applications if you follow the above mentioned steps.