Firefox HSTS Disable

Wanted to make sure i have a copy of this: According to several forums, you can disable HSTS by introducing a new configuration variable. First, go to the Firefox configuration page (about:config), right-click, choose “New Integer”, then provide the name “test.currentTimeOffsetSeconds” (no quotes) with a value of 11491200. This should …

Continue reading

Burp Trusted Root Certificate

When attacking HSTS (STS) sites, you need to install BURP’s proxy cert as the root certificate in order to load the content correctly.  A pain in the butt, but worth it.  Notes are here: https://superconfigure.wordpress.com/2013/01/29/pen-testing-hsts-http-strict-transport-security-sites-with-burp/ Key thing is to ensure you import PortSwigger into your trusted CA store.  By default for …

Continue reading