Bypassing HSTS restriction to enable usage of Burpsuite on Firefox

Often pentesters come across websites that are protected by HSTS where using burpsuite as a proxy causes the application to not load on the browser at all throwing an error as below.

 

One of the given solutions is to import the burp proxy certificate to the browser and install it as a root certificate authority and do the same , it doesn’t really work most of the time.

There is another way to bypass HSTS on Firefox so that we can intercept on burp.

Follow the below steps:-

  1. Go to the Firefox configuration page (about:config)
  2. Right-click, choose “New Integer”
  3. Provide the name “test.currentTimeOffsetSeconds” (no quotes) with a value of 11491200.
  4. Clear the Cache and Active Logins in the Clear Recent History dialog (Ctrl-Shift-Del).
  5. Restart the Browser
  6. (Optional) Restart Burp if need be.

This apparently works because of a function called GetPreloadListEntry that checks to see if the current time is less than the next list expiration time; since the time is effectively calculated to be later than the expiration time, no check is performed. This effectively disables HSTS checks.

This is not something new , this is a preferred way to test HSTS supported website for interception using burp.