Name |
Browser in the Middle (BiTM) |
|
Likelyhood of attack |
Typical severity |
Medium |
High |
|
Summary |
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access. |
Prerequisites |
The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
[Identify potential targets] The adversary identifies an application or service that the target is likely to use. |
- The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.
|
2 |
Experiment |
[Lure victims] The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser. |
- An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.
|
3 |
Exploit |
[Monitor and Manipulate Data] When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web. |
- Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.
|
|
Solutions | Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel |
Related Weaknesses |
CWE ID
|
Description
|
CWE-294 |
Authentication Bypass by Capture-replay |
CWE-345 |
Insufficient Verification of Data Authenticity |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-94 |
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components. |
CAPEC-98 |
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information. |
CAPEC-148 |
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes. |
CAPEC-151 |
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. |
|