CAPEC-662: Adversary in the Browser (AiTB)
Also known as: Man in the Browser, Boy in the Browser, Man in the Mobile
An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.
Last updated
Overview
This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Experiment
The adversary tricks the victim into installing the Trojan Horse malware onto their system.
- Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.
- Step 2Experiment
The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
- Step 3Exploit
The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
What the attacker needs
Prerequisites
- The adversary must install or convince a user to install a Trojan.
- There are two components communicating with each other.
- An attacker is able to identify the nature and mechanism of communication between the two target components.
- Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.
- For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.
Skills required
- Medium skill: Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial.
Consequences
What a successful CAPEC-662 attack can achieve.
Modify Data
Affects: Integrity
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-662.
- Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.
- Leverage anti-malware tools, which can detect Trojan Horse malware.
- Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.
- Limit user permissions to prevent browser pivoting.
- Ensure browser sessions are regularly terminated and when their effective lifetime ends.
Examples
An adversary conducts a phishing attack and tricks a victim into installing a malicious browser plugin. The adversary then positions themself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that they controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.
In 2020, the Agent Tesla malware was leveraged to conduct AiTB attacks against organizations within the gas, oil, and other energy sectors. The malware was delivered via a spearphishing campaign and has the capability to form-grab, keylog, copy clipboard data, extract credentials, and capture screenshots. [REF-630]
Boy in the browser attacks are a subset of AiTB attacks. Similar to AiTB attacks, the adversary must first trick the victim into installing a Trojan, either via social engineering or drive-by-download attacks. The malware then modifies the victim's "hosts" file in order to reroute web traffic from an intended website to an adversary-controlled website that mimics the legitimate website. The adversary is now able to observe, intercept, and/or modify all traffic, as in a traditional Adversary in the Middle attack (CAPEC-94). BiTB attacks are low-cost, easy to execute, and more difficult to detect since the malware often removes itself once the attack has concluded. [REF-631]
Man in the Mobile attacks are a subset of AiTB attacks that target mobile device users. Like AiTB attacks, an adversary convinces a victim to install a Trojan mobile application on their mobile device, often under the guise of security. Once the victim has installed the application, the adversary can capture all SMS traffic to bypass SMS-based out-of-band authentication systems. [REF-632]
Terminology & mappings
Alternate terms
- Man in the Browser
- Boy in the Browser
- Man in the Mobile
Mapped taxonomies
- ATTACK: Man in the Browser (1185)
- OWASP Attacks: Man-in-the-browser attack
Frequently asked questions
Common questions about CAPEC-662.
- What is CAPEC-662?
- An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.
- How does a Adversary in the Browser (AiTB) attack work?
- It typically unfolds over 3 phases. It begins with: The adversary tricks the victim into installing the Trojan Horse malware onto their system.
- How do you prevent CAPEC-662?
- Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.
- What weaknesses does CAPEC-662 target?
- CAPEC-662 exploits 2 CWE weaknesses, including CWE-300 (Channel Accessible by Non-Endpoint), CWE-494 (Download of Code Without Integrity Check).
- How severe is CAPEC-662?
- MITRE rates CAPEC-662 as Very High severity with high likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-662
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.