Home > CAPEC List > CAPEC-94: Man in the Middle Attack (Version 3.1)  

CAPEC-94: Man in the Middle Attack

Attack Pattern ID: 94
Abstraction: Standard
Status: Draft
Presentation Filter:
+ Description
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
+ Likelihood Of Attack

High

+ Typical Severity

Very High

+ Relationships

The table(s) below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.22Exploiting Trust in Client
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.57Utilizing REST's Trust in the System Resource to Register Man in the Middle
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.219XML Routing Detour Attacks
ParentOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.384Application API Message Manipulation via Man-in-the-Middle
ParentOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.466Leveraging Active Man in the Middle Attacks to Bypass Same Origin Policy
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.185Malicious Software Download
+ Execution Flow
Experiment
  1. The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.

  2. The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.

Exploit
  1. The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.

+ Prerequisites
There are two components communicating with each other.
An attacker is able to identify the nature and mechanism of communication between the two target components.
An attacker can eavesdrop on the communication between the target components.
Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.
The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.
+ Skills Required
[Level: Medium]
This attack can get sophisticated since the attack may use cryptography.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Integrity
Modify Data
Confidentiality
Access Control
Authorization
Gain Privileges
Confidentiality
Read Data
+ Mitigations
Get your Public Key signed by a Certificate Authority
Encrypt your communication using cryptography (SSL,...)
Use Strong mutual authentication to always fully authenticate both ends of any communications channel.
Exchange public keys using a secure channel
+ Example Instances

Leveraging security vulnerabilities and inherent functionality within web browsers, an adversary may be able to execute a "Man in the Browser" (MITB) attack. The initial compromise of this attack is generally a Trojan delivered to a victim's system via phishing attacks, drive-by malware installations, or malicious browser extensions. Once the Trojan is on the victim system, the adversary can observe and intercept traffic such as cookies, HTTP sessions, and SSL client certificate, which may allow for browser pivoting into an authenticated session. MITB attacks also circumvent common security mechanisms such as two and three factor authentication, as well as SSL/PKI.

For example, after installing a Trojan, an adversary positions himself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that he controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.

+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1090Connection Proxy
1185Man in the Browser
+ References
[REF-553] M. Bishop. "Computer Security: Art and Science". Addison-Wesley. 2003.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Examples-Instances, Related_Vulnerabilities
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018