I'm researching SSL Strip. I know that attacker must be MITM so that he can intercept all requests from victim and send them to sever. But one thing I don't understand is that when attacker receives response from server (https), attacker modifies the response from the server from https to http and sends it to victim.
what actually occurs in "modifies the response from the server from https to http" ? Whether attacker created a site that similar the original site but with http instead of https ?
SSLStrip is about intercepting the initial HTTP -> HTTPS redirect.
When a user types a URL in the browser, like "stackoverflow.com", the browser loads it with HTTP by default. The site then sees that you are loading it over plaintext HTTP, so it then redirects to HTTPS.
That initial redirect is interceptable by an active MITM attacker. They could change that initial HTTP to HTTPS redirect to redirect to a lookalike URL that they own, for example.
The attack can be mitigated by Strict-Transport-Security. STS teaches the browser, "from now on, always access this domain (and maybe subdomains)" as HTTPS. The browser then automatically loads it via HTTPS and skips the HTTP request entirely.
STS is a trust-on-first-use feature. The very first time the site is accessed, that initial HTTP to HTTPS redirect still occurs because the browser doesn't know the site should always be accessed by HTTPS. This final issue is mitigated with HSTS preloading, where the domain is essentially hard-coded in to the browser's source code as "load by HTTPS first".