A man-in-the-middle attack (MITM attack) is a general cybersecurity term used to describe all cyberattacks that allow cybercriminals to eavesdrop on private communication between two or more endpoints and potentially modify the content of this communication.
Note: Man-in-the-middle attacks are not specific to web application security and are considered to be a network security issue. However, they strongly influence the security of web servers and web apps. There are also types of MITM attacks that are specific to the web only.
MITM attacks can be generally subdivided into two categories:
In a passive MITM attack, the attacker does not modify the existing communication channel in any way. They are simply able to gain access to communication from the outside. This is possible, for example, with communication protocols where the sender does not establish a dedicated connection with the recipient but rather broadcasts the message and expects the recipient to recognize that the broadcast is directed to them.
In an active MITM attack, the attacker intercepts communications and assumes the identity of both the recipient and the sender. They trick the sender into believing that they are the correct recipient, and the recipient into believing they are the original sender. In this type of attack, the attacker receives all communication destined for the recipient and relays it to the original recipient, potentially modifying the data along the way.
Since the term MITM attack can be used to describe any attack with a third party involved in communication, there could potentially be tens or even hundreds of different specific cases or such attacks. However, there are several techniques that black-hat hackers most commonly use for such attacks. Each of the following techniques is described in detail in a separate section of Invicti Learn:
There are several situations that carry an elevated risk of MITM attacks. Here are some typical scenarios:
A successful MITM attack is the holy grail for a cybercriminal. If a malicious actor is able to take an active part in communications, they are not only able to access all sensitive data transmitted between the affected parties but, more importantly, able to send fake data to both parties, too. For example, if an attacker is able to eavesdrop on and modify communication that involves sending files, they are able to send ransomware or other malware such as trojans to the affected parties to escalate their attack further.
There are many other reasons why cybercriminals may want to use MITM attacks, such as identity theft, session hijacking, or even exerting political influences or gaining a competitive advantage in e-commerce situations. The scope of potential damage is dependent on the type of communication that is intercepted.
Man-in-the-middle attacks were known a long time before the advent of computers.
In the world of computing, some of the most famous cases linked to MITM attacks were the following:
Since man-in-the-middle attacks work in different ways, specific detection depends on the attack type. However, detecting a MITM attack in real time often means that the damage has already been done, and the only thing the victim can do is minimize the consequences and prevent escalation. To prevent this, you should focus on detecting vulnerabilities that enable MITM attacks.
Prevention of MITM attacks is specific to the type of attack due to the variety of possible network layers, protocols, and techniques. However, you can follow three general rules to greatly reduce the risk of you or your company falling prey to a MITM attack:
A man-in-the-middle attack (MITM attack) is a general cybersecurity term used to describe all cyberattacks that allow cybercriminals to eavesdrop on private communication between two or more endpoints and potentially modify the content of this communication.
There are many attacks that are considered MITM, but the most common ones are: ARP spoofing, IP address spoofing, DNS cache poisoning, HTTP spoofing, SSL hijacking, and SSL stripping.
Ways of preventing MITM attacks depend on the specific attack type. However, general recommendations are: do not trust public networks (use a VPN), enforce HSTS for your domains, and follow general cybersecurity hygiene rules.