Prerequisites
The victim and the attacker are both in an environment where an active adversary in the middle attack is possible (e.g., public WIFI hot spot)The victim visits at least one website that does not use TLS / SSL
Skills Required
Ability to intercept and modify requests / responses
Ability to create iFrame and JavaScript code that would initiate unauthorized requests to sensitive sites from the victim's browser
Solid understanding of the HTTP protocol
Mitigations
Design: Tunnel communications through a secure proxy
Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-300 |
Channel Accessible by Non-Endpoint The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint. |
References
REF-403
Active Man in the Middle Attacks
Roi Saltzman, Adi Sharabani.
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2019-09-30 +00:00 |
Updated @Abstraction |
CAPEC Content Team |
The MITRE Corporation |
2020-07-30 +00:00 |
Updated Description |
CAPEC Content Team |
The MITRE Corporation |
2020-12-17 +00:00 |
Updated Consequences, Description, Mitigations |
CAPEC Content Team |
The MITRE Corporation |
2021-06-24 +00:00 |
Updated @Name, Description, Prerequisites |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Description, Extended_Description |