HSTS Header on HTTP 400/500 missing?

Hello,

we are still doing some security testing on the Powershell Universal.

My colleague experienced some strange behavior. The HSTS header is set correctly but if we provoke HTTP 400 or 500 with spoofing faked values in the http requests we get HTTP answers without HSTS-Header. Is this the desired configuration or is just something missing within the kestrel webservice?

Thanks a lot!

Product: PowerShell Universal
Version: 3.7.11

Can you double check that it’s not running against localhost? It seems like kestrel does not send the HSTS headers when communicating over localhost.

We will double check next week.

Right now here some details about the faked/spoofed requests:

HTTP 400

GET /dashboardhub?dashboardid=1&id=123456 HTTP/1.1
Host: xyz.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Sec-Websocket-Version: 13
Origin: https://xyz.com
Sec-Websocket-Key: 55555555555
Connection: keep-alive, Upgrade
Cookie: .AspNetCore.Antiforgery.123456; .AspNetCore.Session=123456; .AspNetCore.Cookies=123456
Sec-Fetch-Dest: websocket
Sec-Fetch-Mode: websocket
Sec-Fetch-Site: same-origin
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket

HTTP 400 Answer:

HTTP/1.1 400 Bad Request
Content-Length: 0
Connection: close
Date: Wed, 24 May 2023 10:16:20 GMT
Server: Kestrel

HTTP 500

GET /xyz/home HTTP/2
Host: xyz.com
Cookie: .AspNetCore.Antiforgery.123456; RequestVerificationToken=123456; .AspNetCore.Session=123456
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@65465412kjhkahsd.oastify.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Cache-Control: no-transform
X-Forwarded-For: spoofed.o5u02424234st324234dq1f.oastify.com
Forwarded: for=spoofed.j5u02424234st3242347xw.oastify.com;by=spoofed.j1lv5u02424234st324234h97xw.oastify.com;host=spoofed.j15u02424234st32423497xw.oastify.com
Client-Ip: spoofed.g95u02424234st3242346gu5.oastify.com
Cf-Connecting_ip: spoofed.alzm5u02424234st32423410toi.oastify.com
X-Real-Ip: spoofed.g5u02424234st3242346du2.oastify.com
X-Client-Ip: spoofed.7rz5u02424234st324234x2lr.oastify.com
Referer: http://u5u02424234st324234ptkp8e.oastify.com/ref
Contact: root@65465412kjhkahsd.oastify.com
X-Originating-Ip: spoofed.nh8zdnq4szpct2h9jvjr513rrixdv1k.oastify.com
From: root@g2424234st324234put.oastify.com
True-Client-Ip: spoofed.2424234st324234ptmi.oastify.com
X-Wap-Profile: http://98f2424234st324234p4e.oastify.com/wap.xml

HTTP 500 Answer:

HTTP/2 500 Internal Server Error
Content-Type: text/plain
Date: Fri, 26 May 2023 09:22:07 GMT
Server: Kestrel
Cache-Control: no-cache,no-store
Expires: -1
Pragma: no-cache

 

An invalid IP address was specified.

The Real-IP spoofed to provocate http 500 spoofed.g5u02424234st3242346du2.oastify.com

Hello Adam,

we can approve that the HSTS-Header is missing on HTTP Errors like 400/500. On normal requests HSTS Header is set correctly.

Best regards,