Bypassing_HSTS_Firefox

Last updated on Sep 27, 2020 1 min read TIL

One of the given solutions is to import the burp proxy certificate to the browser and install it as a root certificate authority and do the same , it doesn’t really work most of the time.

There is another way to bypass HSTS on Firefox so that we can intercept on burp.

Follow the below steps:-

  • Go to the Firefox configuration page (about:config)
  • Right-click, choose “New Integer”
  • Provide the name “test.currentTimeOffsetSeconds” (no quotes) with a value of 11491200.
  • Clear the Cache and Active Logins in the Clear Recent * History dialog (Ctrl-Shift-Del).
  • Restart the Browser
  • (Optional) Restart Burp if need be.
  • This apparently works because of a function called GetPreloadListEntry that checks to see if the current time is less than the next list expiration time; since the time is effectively calculated to be later than the expiration time, no check is performed. This effectively disables HSTS checks.

This is not something new , this is a preferred way to test HSTS supported website for interception using burp.

firefox Burpsuite
Information Security Consultant / Trainer

My research interests include distributed Web/Mobile/API pentesting.