Dark Mode

Settings

Capec-94 Detail

Adversary in the Middle (AiTM)

Meta Communications Software Likelihood: High Typical Severity: Very High

Children: 219 384 386 466 662 701

Threats: T59 T60 T62 T98 T99 T100 T102 T103 T104 T272 T296

Tools: 12 13 14 16

Description

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.

Extended Description

Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first flows through the adversary, who has the opportunity to observe or alter it, before being passed on to the intended recipient as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for these attacks yields an implicit lack of trust in communication or identify between two components. These attacks differ from Sniffing Attacks (CAPEC-157) since these attacks often modify the communications prior to delivering it to the intended recipient.
External ID Source Link Description
CAPEC-94 capec https://capec.mitre.org/data/definitions/94.html
CWE-300 cwe http://cwe.mitre.org/data/definitions/300.html
CWE-290 cwe http://cwe.mitre.org/data/definitions/290.html
CWE-593 cwe http://cwe.mitre.org/data/definitions/593.html
CWE-287 cwe http://cwe.mitre.org/data/definitions/287.html
CWE-294 cwe http://cwe.mitre.org/data/definitions/294.html
T1557 ATTACK https://attack.mitre.org/wiki/Technique/T1557 Adversary-in-the-Middle
OWASP Attacks https://owasp.org/www-community/attacks/Man-in-the-middle_attack Man-in-the-middle attack
REF-553 reference_from_CAPEC M. Bishop, Computer Security: Art and Science, 2003, Addison-Wesley
REF-633 reference_from_CAPEC https://owasp.org/www-community/attacks/Man-in-the-middle_attack Man-in-the-middle attack, Open Web Application Security Project (OWASP)
REF-634 reference_from_CAPEC https://us.norton.com/internetsecurity-wifi-what-is-a-man-in-the-middle-attack.html Kyle Chivers, What is a man-in-the-middle attack?, 2020--03---26, NortonLifeLock Inc.
REF-635 reference_from_CAPEC https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/ Man in the middle (MITM) attack, Imperva
REF-636 reference_from_CAPEC https://www.linkedin.com/pulse/settling-score-taking-down-equifax-mobile-application-jerry-decime/ Jerry Decime, Settling the score: taking down the Equifax mobile application, 2017--09---13
Explore

  1. Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.

    2. Techniques
    Perform a sniffing attack and observe communication to determine a communication protocol.
    Look for application documentation that might describe a communication mechanism used by a target.
Experiment

  1. Position In Between Targets: The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

    2. Techniques
    Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
    Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.
Exploit

  1. Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

    2. Techniques
    Prevent some messages from reaching their destination, causing a denial of service.
  1. There are two components communicating with each other.
  2. An attacker is able to identify the nature and mechanism of communication between the two target components.
  3. An attacker can eavesdrop on the communication between the target components.
  4. Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.
  5. The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.

Not present

Medium
This attack can get sophisticated since the attack may use cryptography.
Integrity Authorization Access Control Confidentiality
Modify Data Gain Privileges Gain Privileges Gain Privileges
Read Data
  1. In 2017, security researcher Jerry Decime discovered that Equifax mobile applications were not leveraging HTTPS in all areas. Although authentication was properly utilizing HTTPS, in addition to validating the root of trust of the server certificate, other areas of the application were using HTTP to communicate. Adversaries could then conduct MITM attacks on rogue WiFi or cellular networks and hijack the UX. This further allowed the adversaries to prompt users for sensitive data, which could then be obtained in the plaintext response. [REF-636]

We use cookies to ensure you get the best experience on our website.