CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.
Last updated
Overview
Unlike Adversary in the Browser, the victim does not need to install a malicious application. Browser in the Middle uses the inherent functionalities of a web browser to convince the victim they are browsing normally under the assumption that the connection is secure. All the actions performed by the victim in the open window are actually performed on the machine of the adversary. These victim-authenticated sessions are available to the adversary to use. All entered data such as passwords and usernames can be logged by the adversary and the content displayed to the victim can be altered arbitrarily. Varieties of multifactor authentication which rely solely on user input and do not use a form of hardware-based secret exchange are vulnerable to browser in the middle.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify potential targets] The adversary identifies an application or service that the target is likely to use.
- The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.
- Step 2Experiment
[Lure victims] The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.
- An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.
- Step 3Exploit
[Monitor and Manipulate Data] When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.
- Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.
What the attacker needs
Prerequisites
- The adversary must create a convincing web client to establish the connection. The victim then needs to be lured onto the adversary's webpage. In addition, the victim's machine must not use local authentication APIs, a hardware token, or a Trusted Platform Module (TPM) to authenticate.
Skills required
- Medium skill:
Resources required
- A web application with a client is needed to enable the victim's browser to establish a remote desktop connection to the system of the adversary.
Consequences
What a successful CAPEC-701 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authentication
Read Data
Affects: Confidentiality, Authorization
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-701.
- Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel
Frequently asked questions
Common questions about CAPEC-701.
- What is CAPEC-701?
- An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.
- How does a Browser in the Middle (BiTM) attack work?
- It typically unfolds over 3 phases. It begins with: [Identify potential targets] The adversary identifies an application or service that the target is likely to use.
- How do you prevent CAPEC-701?
- Implementation: Use strong, mutual authentication to fully authenticate with both ends of any communications channel
- What weaknesses does CAPEC-701 target?
- CAPEC-701 exploits 2 CWE weaknesses, including CWE-294 (Authentication Bypass by Capture-replay), CWE-345 (Insufficient Verification of Data Authenticity).
- How severe is CAPEC-701?
- MITRE rates CAPEC-701 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-701
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.