Starting Chrome with Certificate Checking Disabled

Just a quick little tidbit I ran into during a recent penetration test. I was looking an a web application that wouldn’t render correctly in Firefox (my standard browser for testing). I switched over to Chrome only to realize that the site was using HSTS. In the interest of thoroughness here is the HSTS definition from Wikipedia:

 HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections,[1] and never via the insecure HTTP protocol.

In practice this means that modern browsers will not allow you to load a site if something isn’t copacetic with the SSL/TLS cert. You probably should have the burp certificate installed already but if you don’t and you need a quick workaround you can start chrome with checking disabled using the –ignore-certificate-errors flag.

"/Applications/Google Chrome" --ignore-certificate-errors &> /dev/null

169 Words

2017-06-06 17:04 -0700