CAPEC-701 Detail

CAPEC-701

Name

Browser in the Middle (BiTM)

Likihood attacks

Medium

Typical Severity

High

Status

Draft

Published

2023-01-24
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.

Informations CAPEC

Execution Flow

1) Explore

[Identify potential targets] The adversary identifies an application or service that the target is likely to use.

Technique

The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.

2) Experiment

[Lure victims] The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.

Technique

An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.

3) Exploit

[Monitor and Manipulate Data] When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.

Technique

Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.

Prerequisites

The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate.

Skills Required

(Level : Medium)

Resources Required

A web application with a client is needed to enable the victim's browser to establish a remote desktop connection to the system of the adversary.

Mitigations

Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel

Related Weaknesses

CWE-ID	Weakness Name
CWE-294	Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-345	Insufficient Verification of Data Authenticity The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

REF-747

Browser-in-the-Middle (BitM) attack
Tommasi F., Catalano, C., Taurino I..
https://link.springer.com/article/10.1007/s10207-021-00548-5#citeas

Submission

Name	Organization	Date	Date release
Jonas Tzschoppe	Nuremberg Institute of Technology	2023-01-24 +00:00

CAPEC-701 Detail

CAPEC-701

Descriptions CAPEC

Informations CAPEC

Execution Flow

Prerequisites

Skills Required

Resources Required

Mitigations

Related Weaknesses

CWE-294

CWE-345

References

REF-747

Submission