Home > CAPEC List > CAPEC-94: Man in the Middle Attack (Version 3.2)  

CAPEC-94: Man in the Middle Attack

Attack Pattern ID: 94
Abstraction: Meta
Status: Draft
Presentation Filter:
+ Description
This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components. MITM attacks differ from sniffing attacks since they often modify the communications prior to delivering it to the intended recipient. These attacks also differ from interception attacks since they may forward the sender's original unmodified data, after copying it, instead of keeping it for themselves.
+ Likelihood Of Attack

High

+ Typical Severity

Very High

+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.219XML Routing Detour Attacks
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.384Application API Message Manipulation via Man-in-the-Middle
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.386Application API Navigation Remapping
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.466Leveraging Active Man in the Middle Attacks to Bypass Same Origin Policy
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.185Malicious Software Download

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Execution Flow
Experiment
  1. The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.
  2. The attacker inserts himself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.
Exploit
  1. The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for his own purposes.
+ Prerequisites
There are two components communicating with each other.
An attacker is able to identify the nature and mechanism of communication between the two target components.
An attacker can eavesdrop on the communication between the target components.
Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.
The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.
+ Skills Required
[Level: Medium]
This attack can get sophisticated since the attack may use cryptography.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Integrity
Modify Data
Confidentiality
Access Control
Authorization
Gain Privileges
Confidentiality
Read Data
+ Mitigations
Get your Public Key signed by a Certificate Authority
Encrypt your communication using cryptography (SSL,...)
Use Strong mutual authentication to always fully authenticate both ends of any communications channel.
Exchange public keys using a secure channel
+ Example Instances

Leveraging security vulnerabilities and inherent functionality within web browsers, an adversary may be able to execute a "Man in the Browser" (MITB) attack. The initial compromise of this attack is generally a Trojan delivered to a victim's system via phishing attacks, drive-by malware installations, or malicious browser extensions. Once the Trojan is on the victim system, the adversary can observe and intercept traffic such as cookies, HTTP sessions, and SSL client certificate, which may allow for browser pivoting into an authenticated session. MITB attacks also circumvent common security mechanisms such as two and three factor authentication, as well as SSL/PKI.

For example, after installing a Trojan, an adversary positions himself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that he controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.

+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1090Connection Proxy
1185Man in the Browser
+ References
[REF-553] M. Bishop. "Computer Security: Art and Science". Addison-Wesley. 2003.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-08-04CAPEC Content TeamThe MITRE Corporation
Updated Examples-Instances, Related_Vulnerabilities
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References
2019-04-04CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings
2019-09-30CAPEC Content TeamThe MITRE Corporation
Updated @Abstraction, Description, Related_Attack_Patterns
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019