Man-in-the-Middle (MITM)

Man-in-the-Middle (MITM) is an attack where the adversary secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other.

How It Works

The attacker positions themselves between the victim and the destination (server, router, or another user). All traffic flows through the attacker, who can eavesdrop, modify data in transit, or inject malicious content.

Common MITM Techniques

• ARP Spoofing: Poison ARP tables to redirect LAN traffic
• DNS Spoofing: Return false DNS responses
• Rogue Wi-Fi: Set up fake access points
• BGP Hijacking: Redirect internet routing
• SSL Stripping: Downgrade HTTPS to HTTP

Attack Capabilities

• Capture credentials sent in cleartext
• Steal session cookies
• Inject malicious scripts into HTTP responses
• Modify financial transactions
• Intercept two-factor authentication codes

HTTPS Protection

TLS/HTTPS protects against passive eavesdropping and modification, but attackers may:

• Use SSL stripping to downgrade connections
• Present fraudulent certificates (if CA compromised)
• Exploit certificate validation flaws in clients

Prevention

• Use HTTPS everywhere (HSTS)
• Verify certificate validity
• Implement certificate pinning for mobile apps
• Use VPNs on untrusted networks

See Also

• TLS Stripping
• DNS Rebinding
• Session Hijacking