Performing SSL Stripping Attack

When to Use

• Testing whether web applications properly enforce HTTPS through HSTS headers and redirect chains
• Validating that HSTS preloading is correctly configured and registered in browser preload lists
• Demonstrating the risk of cleartext HTTP to stakeholders during authorized security assessments
• Assessing whether internal applications and thick clients validate TLS certificates and reject downgrades
• Training SOC teams to detect SSL stripping indicators in network traffic

Do not use against networks or applications without explicit written authorization, to intercept real user credentials, or against production systems during business hours without change management approval.

Prerequisites

• Written authorization specifying in-scope applications and approved attack techniques
• Bettercap 2.x or sslstrip2 installed on the attacker machine
• ARP spoofing or other MITM positioning established (see ARP spoofing skill)
• IP forwarding enabled on the attacker machine
• Wireshark for verifying attack success and capturing evidence
• Test accounts (not real user credentials) for demonstrating credential interception