CAPEC-662: Adversary in the Browser (AiTB)

Description

<p>An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.<p>

Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

Severity :

Very High

Possibility :

High

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-94: Adversary in the Middle (AiTM) Adversary in the Middle (AiTM) CAPEC-185: Malicious Software Download Malicious Software Download CAPEC-542: Targeted Malware Targeted Malware

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The adversary must install or convince a user to install a Trojan.
There are two components communicating with each other.
An attacker is able to identify the nature and mechanism of communication between the two target components.
Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.
For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Medium Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Man in the Browser OWASP Attacks | Man-in-the-browser attack

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-300: Channel Accessible by Non-Endpoint

CWE-494: Download of Code Without Integrity Check

Visit http://capec.mitre.org/ for more details.