CAPEC Details
Name Man in the Middle Attack
Likelyhood of attack Typical severity
High Very High
Summary This type of attack targets the communication between two components (typically client and server). The attacker places themself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never observed. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components. MITM attacks differ from sniffing attacks since they often modify the communications prior to delivering it to the intended recipient. These attacks also differ from interception attacks since they may forward the sender's original unmodified data, after copying it, instead of keeping it for themselves.
Prerequisites There are two components communicating with each other. An attacker is able to identify the nature and mechanism of communication between the two target components. An attacker can eavesdrop on the communication between the target components. Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition. The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.
Execution Flow
Step Phase Description Techniques
1 Experiment The attacker probes to determine the nature and mechanism of communication between two components looking for opportunities to exploit.
2 Experiment The attacker inserts themself into the communication channel initially acting as a routing proxy between the two targeted components. The attacker may or may not have to use cryptography.
3 Exploit The attacker observes, filters or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
Solutions Get your Public Key signed by a Certificate Authority Encrypt your communication using cryptography (SSL,...) Use Strong mutual authentication to always fully authenticate both ends of any communications channel. Exchange public keys using a secure channel
Related Weaknesses
CWE ID Description
CWE-287 Improper Authentication
CWE-290 Authentication Bypass by Spoofing
CWE-294 Authentication Bypass by Capture-replay
CWE-300 Channel Accessible by Non-Endpoint
CWE-593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
CWE-724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Taxonomy: ATTACK
Entry ID Entry Name
1185 Man in the Browser
Taxonomy: OWASP Attacks
Entry ID Entry Name
Link Man-in-the-browser attack