ByteOS Network

CAPEC-662:Adversary in the Browser (AiTB)

Attack Pattern ID:662

Version:v3.9

Attack Pattern Name:Adversary in the Browser (AiTB)

Abstraction:Standard

Status:Stable

Likelihood of Attack:High

Typical Severity:Very High

Details Content History Related Weaknesses Reports

▼Description

An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.

▼Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

▼Alternate Terms

Man in the Browser

Boy in the Browser

Man in the Mobile

▼Relationships

Nature	Type	ID	Name
ChildOf	M	94	Adversary in the Middle (AiTM)
CanFollow	S	185	Malicious Software Download
CanFollow	S	542	Targeted Malware

Nature: ChildOf

Type: Meta

ID: 94

Name: Adversary in the Middle (AiTM)

Nature: CanFollow

Type: Standard

ID: 185

Name: Malicious Software Download

Nature: CanFollow

Type: Standard

ID: 542

Name: Targeted Malware

▼Execution Flow

Experiment

The adversary tricks the victim into installing the Trojan Horse malware onto their system.

Technique
Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.

The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

Exploit

The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

▼Prerequisites

The adversary must install or convince a user to install a Trojan.

There are two components communicating with each other.

An attacker is able to identify the nature and mechanism of communication between the two target components.

Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.

For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.

▼Skills Required

Medium

Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial.

▼Consequences

Scope	Likelihood	Impact	Note
Integrity	N/A	Modify Data	N/A
ConfidentialityAccess ControlAuthorization	N/A	Gain Privileges	N/A
Confidentiality	N/A	Read Data	N/A

Scope: Integrity

Likelihood: N/A

Impact: Modify Data

Note: N/A

Scope: Confidentiality, Access Control, Authorization

Likelihood: N/A

Impact: Gain Privileges

Note: N/A

Scope: Confidentiality

Likelihood: N/A

Impact: Read Data

Note: N/A

▼Mitigations

Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.

Leverage anti-malware tools, which can detect Trojan Horse malware.

Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.

Limit user permissions to prevent browser pivoting.

Ensure browser sessions are regularly terminated and when their effective lifetime ends.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-300	Channel Accessible by Non-Endpoint
CWE-494	Download of Code Without Integrity Check

ID: CWE-300

Name: Channel Accessible by Non-Endpoint

ID: CWE-494

Name: Download of Code Without Integrity Check

▼Taxonomy Mappings

Taxonomy Name	Entry ID	Entry Name
ATTACK	1185	Man in the Browser
OWASP Attacks	N/A	Man-in-the-browser attack

Taxonomy Name: ATTACK

Entry ID: 1185

Entry Name: Man in the Browser

Taxonomy Name: OWASP Attacks

Entry ID: N/A

Entry Name: Man-in-the-browser attack

▼References

Reference ID: REF-629

Title: Man-in-the-browser attack

Publication:

Publisher:Open Web Application Security Project (OWASP)

URL:https://owasp.org/www-community/attacks/Man-in-the-browser_attack

URL Date:2021-02-09

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-630

Title: Oil and Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal

Author: Liviu Arsene

Publication:

Publisher:Bitdefender Labs

URL:https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/

URL Date:2021-02-09

Day:21

Month:04

Year:2020

Reference ID: REF-631

Title: Man-in-the-Mobile Attacks Single Out Android

Author: Amit Klein

Publication:

Publisher:SecurityIntelligence

URL:https://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/

URL Date:2021-02-10

Day:10

Month:07

Year:2012

Reference ID: REF-632

Title: New 'Boy In The Browser' Attacks On The Rise

Author: Kelly Jackson Higgins

Publication:

Publisher:Dark Reading, Informa PLC

URL:https://www.darkreading.com/risk/new-boy-in-the-browser-attacks-on-the-rise/d/d-id/1135247

URL Date:2021-02-10

Day:14

Month:02

Year:2011