Dettaglio CAPEC-466

CAPEC-466

Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
Medio
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Avviso per un CAPEC specifico
Rimani informato su qualsiasi modifica relativa a un CAPEC specifico.
Gestione notifiche

Descrizioni CAPEC

An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS.

Informazioni CAPEC

Prerequisiti

The victim and the attacker are both in an environment where an active adversary in the middle attack is possible (e.g., public WIFI hot spot)The victim visits at least one website that does not use TLS / SSL

Competenze richieste

Ability to intercept and modify requests / responses
Ability to create iFrame and JavaScript code that would initiate unauthorized requests to sensitive sites from the victim's browser
Solid understanding of the HTTP protocol

Mitigazioni

Design: Tunnel communications through a secure proxy
Design: Trust level separation for privileged / non privileged interactions (e.g., two different browsers, two different users, two different operating systems, two different virtual machines)

Vulnerabilità correlate

CWE-ID Nome della vulnerabilità

CWE-300

 Channel Accessible by Non-Endpoint
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Riferimenti

REF-403

Active Man in the Middle Attacks
Roi Saltzman, Adi Sharabani.
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html

Invio

Nome Organizzazione Data Data di rilascio
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifiche

Nome Organizzazione Data Commento
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated @Abstraction
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Description
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Consequences, Description, Mitigations
CAPEC Content Team The MITRE Corporation 2021-06-24 +00:00 Updated @Name, Description, Prerequisites
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description
Le informazioni presentate su CVE Find provengono da diverse fonti di riferimento attentamente selezionate. I dati CVE sono forniti da MITRE Corporation e dal National Vulnerability Database (NVD). Il catalogo delle vulnerabilità sfruttate conosciute (KEV) proviene dalla Cybersecurity and Infrastructure Security Agency (CISA), mentre i punteggi EPSS provengono da FIRST.org. Inoltre, i dati relativi alle vulnerabilità software (CWE) e ai pattern di attacco comuni (CAPEC) sono mantenuti da MITRE Corporation, e le informazioni sulle configurazioni hardware e software (CPE) sono fornite da NVD.