Threat Event
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.
|
|
| ID | CAPEC-94 |
| Latest Sync Date | 11/05/25 15:15:38 |
| Original ID | 94 |
| Abstraction | Meta |
| Status | Stable |
| Alternate Terms | ::TERM:Man-in-the-Middle / MITM:DESCRIPTION:::TERM:Person-in-the-Middle / PiTM:DESCRIPTION:::TERM:Monkey-in-the-Middle:DESCRIPTION:::TERM:Monster-in-the-Middle:DESCRIPTION:::TERM:On-path Attacker:DESCRIPTION::: |
| Likelihood Of Attack | High |
| Typical Severity | Very High |
| Related Attack Patterns | ::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:668:: |
| Execution Flow | ::STEP:1:PHASE:Explore:DESCRIPTION:[Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.:TECHNIQUE:Perform a sniffing attack and observe communication to determine a communication protocol.:TECHNIQUE:Look for application documentation that might describe a communication mechanism used by a target.::STEP:2:PHASE:Experiment:DESCRIPTION:[Position In Between Targets] The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.:TECHNIQUE:Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.:TECHNIQUE:Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.::STEP:3:PHASE:Exploit:DESCRIPTION:[Use Intercepted Data Maliciously] The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.:TECHNIQUE:Prevent some messages from reaching their destination, causing a denial of service.:: |
| Prerequisites | ::There are two components communicating with each other.::An attacker is able to identify the nature and mechanism of communication between the two target components.::An attacker can eavesdrop on the communication between the target components.::Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.::The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.:: |
| Skills Required | ::SKILL:This attack can get sophisticated since the attack may use cryptography.:LEVEL:Medium:: |
| Resources Required | |
| Indicators | |
| Consequences | ::SCOPE:Integrity:TECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:Authorization:TECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:TECHNICAL IMPACT:Read Data:: |
| Mitigations | ::Ensure Public Keys are signed by a Certificate Authority::Encrypt communications using cryptography (e.g., SSL/TLS)::Use Strong mutual authentication to always fully authenticate both ends of any communications channel.::Exchange public keys using a secure channel:: |
| Example Instances | ::In 2017, security researcher Jerry Decime discovered that Equifax mobile applications were not leveraging HTTPS in all areas. Although authentication was properly utilizing HTTPS, in addition to validating the root of trust of the server certificate, other areas of the application were using HTTP to communicate. Adversaries could then conduct MITM attacks on rogue WiFi or cellular networks and hijack the UX. This further allowed the adversaries to prompt users for sensitive data, which could then be obtained in the plaintext response. [REF-636]:: |
| Related Weaknesses | ::300::290::593::287::294:: |
| Taxonomy Mappings | TAXONOMY NAME:ATTACK:ENTRY ID:1557:ENTRY NAME:Adversary-in-the-Middle::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Man-in-the-middle attack:: |
| Notes | |