Man-in-the-middle attacks (MITM)

What is a man-in-the-middle attack?

A man-in-the-middle attack (MITM attack) is a general cybersecurity term used to describe all cyberattacks that allow cybercriminals to eavesdrop on private communication between two or more endpoints and potentially modify the content of this communication.

Note: Man-in-the-middle attacks are not specific to web application security and are considered to be a network security issue. However, they strongly influence the security of web servers and web apps. There are also types of MITM attacks that are specific to the web only.

MITM attacks can be generally subdivided into two categories:

Passive man-in-the-middle attacks

In a passive MITM attack, the attacker does not modify the existing communication channel in any way. They are simply able to gain access to communication from the outside. This is possible, for example, with communication protocols where the sender does not establish a dedicated connection with the recipient but rather broadcasts the message and expects the recipient to recognize that the broadcast is directed to them.

Active man-in-the-middle attacks

In an active MITM attack, the attacker intercepts communications and assumes the identity of both the recipient and the sender. They trick the sender into believing that they are the correct recipient, and the recipient into believing they are the original sender. In this type of attack, the attacker receives all communication destined for the recipient and relays it to the original recipient, potentially modifying the data along the way.

Types of man-in-the-middle attacks

Since the term MITM attack can be used to describe any attack with a third party involved in communication, there could potentially be tens or even hundreds of different specific cases or such attacks. However, there are several techniques that black-hat hackers most commonly use for such attacks. Each of the following techniques is described in detail in a separate section of Invicti Learn:

• ARP spoofing – the attacker spoofs the mapping of an IP address to a MAC address using the address resolution protocol (ARP) to redirect packets on a local network.
• IP spoofing (IP address spoofing) – the attacker transmits internet protocol packets that appear to originate from a different endpoint.
• DNS spoofing (DNS cache poisoning) – the attacker injects false information into DNS server caches, causing clients to connect to the domain of an attacker-controlled server instead of the original server.
• HTTPS spoofing (IDN homograph attack) – the attacker uses similar-looking digits and letters in a domain name delivered via phishing to make the client connect to a fake website controlled by the attacker.
• SSL hijacking – the attacker provides the victim’s web browser with a false certification authority (CA) and is able to generate fake SSL/TLS certificates that are recognized by the browser as legitimate.
• SSL stripping – the attacker forces the victim to drop an encrypted connection to a secure website and attempt an unsecured HTTP connection instead.

Common MITM attack scenarios

There are several situations that carry an elevated risk of MITM attacks. Here are some typical scenarios:

• In a standard local area network (LAN), the sender endpoint sends out packets to the entire network and expects the recipient endpoint to recognize that the packet is meant for them. This means that if communication in a LAN is not encrypted, any computer connected to the LAN can listen in on all the network traffic between all other endpoints.
• Since public wi-fi hotspots often use simple unencrypted local networks, any device connected to such a wi-fi access point is able to intercept content sent via wi-fi connections between any other device and the Internet router. Wi-fi security protocols offer no protection in this case.
• If a web application is accessible via an unencrypted HTTP connection and there is a cybercriminal actively wi-fi eavesdropping on a public wi-fi network, all the communication between the client and the HTTP server can be intercepted. This includes, for example, login credentials, session cookies, credit card numbers, bank accounts, or any other personal data and sensitive information.

Potential consequences of a MITM attack

A successful MITM attack is the holy grail for a cybercriminal. If a malicious actor is able to take an active part in communications, they are not only able to access all sensitive data transmitted between the affected parties but, more importantly, able to send fake data to both parties, too. For example, if an attacker is able to eavesdrop on and modify communication that involves sending files, they are able to send ransomware or other malware such as trojans to the affected parties to escalate their attack further.

There are many other reasons why cybercriminals may want to use MITM attacks, such as identity theft, session hijacking, or even exerting political influences or gaining a competitive advantage in e-commerce situations. The scope of potential damage is dependent on the type of communication that is intercepted.

Examples of famous MITM attacks

Man-in-the-middle attacks were known a long time before the advent of computers.

• One of the oldest cases was the Babington Plot. Communications between Mary Stuart and her fellow conspirators were intercepted, decoded, and modified by cryptography expert Thomas Phelippes.
• During World War II, British intelligence conducted MITM attacks against Nazi forces using Aspidistra devices. The cracking of the Enigma code could also be considered a MITM attack.

In the world of computing, some of the most famous cases linked to MITM attacks were the following:

• In 2013, information was leaked about the Quantum/FoxAcid MITM system employed by NSA to intercept TOR connections.
• In 2014, Lenovo installed MITM (SSL hijacking) adware called Superfish on their Windows PCs.
• In 2015, a British couple (the Luptons) lost £340,000 in an email eavesdropping/email hijacking MITM attack.
• In 2019, the government of Kazakhstan attempted to perform a mass man-in-the-middle attack (SSL hijacking) on Kazakh citizens. 

How to detect MITM attacks and vulnerabilities?

Since man-in-the-middle attacks work in different ways, specific detection depends on the attack type. However, detecting a MITM attack in real time often means that the damage has already been done, and the only thing the victim can do is minimize the consequences and prevent escalation. To prevent this, you should focus on detecting vulnerabilities that enable MITM attacks.

• Network vulnerabilities – the biggest network issue that makes man-in-the-middle attacks possible is the failure to use encryption at all stages of communication. All communications, from beginning to end, should use private key/public key schemes or symmetric cryptography for both transmission and authentication to make sure that a) only the intended recipient can receive the content and b) content can only be received from the original sender. Therefore, your network scanner should be able to identify and report all plain-text connections, no matter the protocol.
• Software vulnerabilities – using out-of-date insecure software is another cause for MITM attacks. Networking software and operating systems have had vulnerabilities in the past that made it possible to conduct a man-in-the-middle attack. For example, BEAST, POODLE, and Heartbleed attacks make MITM possible by enabling the decryption of secured communications. These vulnerabilities are caused by using out-of-date protocols (Secure Sockets Layer or TLS 1.0) and software (OpenSSL). Therefore, your network scanner and DAST scanner should be able to identify out-of-date software, modules, and elements, for example, via software composition analysis (SCA).
• Web vulnerabilities – attacks targeting web vulnerabilities may be used as part of more complex MITM attacks. For example, a cross-site scripting (XSS) vulnerability may allow for a successful phishing attack that will then be followed up with an HTTPS spoofing attack, directing the victim to a fake website that looks and feels just like the original and communicates with the original website in the background, posing as the original user. Therefore, eliminating web vulnerabilities by first detecting them using a professional scanner such as Invicti or Acunetix by Invicti helps limit the possibility of MITM attacks.

How to prevent MITM attacks?

Prevention of MITM attacks is specific to the type of attack due to the variety of possible network layers, protocols, and techniques. However, you can follow three general rules to greatly reduce the risk of you or your company falling prey to a MITM attack:

1. Spread awareness and educate. Most MITM attacks are successful because the victim is not aware that such an attack is possible. For example, most Internet users think their email accounts are secure and they can safely send sensitive data unencrypted via email. However, email communication is not encrypted, not all SMTP servers use secure connections, and an email may also go through several SMTP servers before reaching the recipient. Therefore, your users must be aware that no communication channel can be considered secure unless consulted with a security specialist. For example, users should be taught never to use public wi-fi hotspots unless they also use a virtual private network (VPN). However, they must also be aware that some MITM attacks are possible when even using a VPN connection.
2. Follow security-by-design principles. The best way to prevent MITM attacks is to design your infrastructure in a way that is resilient to them, primarily through end-to-end encryption, which is the best general defense against man-in-the-middle attacks. For example, your web applications and websites should only be accessible via HTTPS, which can be enforced by using HTTP Strict Transport Security (HSTS). You can also use cookie security flags to protect session information.
3. Prevent potential damage. For example, if your infrastructure has weak security at the authentication level, enforce multi-factor authentication to make sure that even if credentials are leaked, they can’t be used by cybercriminals.