CAPEC - CAPEC-662: Adversary in the Browser (AiTB) (Version 3.9)


CAPEC Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks	New to CAPEC? Start Here

Home > CAPEC List > CAPEC-662: Adversary in the Browser (AiTB) (Version 3.9)

CAPEC-662: Adversary in the Browser (AiTB)

Attack Pattern ID: 662

Abstraction: Standard

View customized information:

Description

An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.

Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

Alternate Terms

Term: Man in the Browser

Term: Boy in the Browser

Term: Man in the Mobile

Likelihood Of Attack

High

Typical Severity

Very High

Relationships

Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	94	Adversary in the Middle (AiTM)
CanFollow	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	185	Malicious Software Download
CanFollow	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	542	Targeted Malware

Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Communications
Mechanisms of Attack	Subvert Access Control

Execution Flow

Experiment

The adversary tricks the victim into installing the Trojan Horse malware onto their system.
Techniques
Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.
The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

Techniques
Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.

Exploit

The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

Prerequisites

The adversary must install or convince a user to install a Trojan.

There are two components communicating with each other.

An attacker is able to identify the nature and mechanism of communication between the two target components.

Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.

For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.

Skills Required

[Level: Medium]

Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial.

Consequences

Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Integrity	Modify Data
Confidentiality Access Control Authorization	Gain Privileges
Confidentiality	Read Data

Mitigations

Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.

Leverage anti-malware tools, which can detect Trojan Horse malware.

Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.

Limit user permissions to prevent browser pivoting.

Ensure browser sessions are regularly terminated and when their effective lifetime ends.

Example Instances

An adversary conducts a phishing attack and tricks a victim into installing a malicious browser plugin. The adversary then positions themself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that they controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.

In 2020, the Agent Tesla malware was leveraged to conduct AiTB attacks against organizations within the gas, oil, and other energy sectors. The malware was delivered via a spearphishing campaign and has the capability to form-grab, keylog, copy clipboard data, extract credentials, and capture screenshots. [REF-630]

Boy in the browser attacks are a subset of AiTB attacks. Similar to AiTB attacks, the adversary must first trick the victim into installing a Trojan, either via social engineering or drive-by-download attacks. The malware then modifies the victim's "hosts" file in order to reroute web traffic from an intended website to an adversary-controlled website that mimics the legitimate website. The adversary is now able to observe, intercept, and/or modify all traffic, as in a traditional Adversary in the Middle attack (CAPEC-94). BiTB attacks are low-cost, easy to execute, and more difficult to detect since the malware often removes itself once the attack has concluded. [REF-631]

Man in the Mobile attacks are a subset of AiTB attacks that target mobile device users. Like AiTB attacks, an adversary convinces a victim to install a Trojan mobile application on their mobile device, often under the guise of security. Once the victim has installed the application, the adversary can capture all SMS traffic to bypass SMS-based out-of-band authentication systems. [REF-632]

Related Weaknesses

Section HelpA Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
300	Channel Accessible by Non-Endpoint
494	Download of Code Without Integrity Check

Taxonomy Mappings

Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1185	Man in the Browser

Relevant to the OWASP taxonomy mapping

Entry Name
Man-in-the-browser attack

References

[REF-629] "Man-in-the-browser attack". Open Web Application Security Project (OWASP). <https://owasp.org/www-community/attacks/Man-in-the-browser_attack>. URL validated: 2021年02月09日.

[REF-630] Liviu Arsene. "Oil and Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal". Bitdefender Labs. 2020年04月21日. <https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/>. URL validated: 2021年02月09日.

[REF-631] Amit Klein. "Man-in-the-Mobile Attacks Single Out Android". SecurityIntelligence. 2012年07月10日. <https://securityintelligence.com/man-in-the-mobile-attacks-single-out-android/>. URL validated: 2021年02月10日.

[REF-632] Kelly Jackson Higgins. "New 'Boy In The Browser' Attacks On The Rise". Dark Reading, Informa PLC. 2011年02月14日. <https://www.darkreading.com/risk/new-boy-in-the-browser-attacks-on-the-rise/d/d-id/1135247>. URL validated: 2021年02月10日.

Content History

Submissions
Submission Date	Submitter	Organization
2021年06月24日 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021年06月24日 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022年09月29日 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022年09月29日 (Version 3.8)	Updated Description, Extended_Description

More information is available — Please select a different filter.

Page Last Updated or Reviewed: June 24, 2021


MITRE	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| CAPEC on Twitter CAPEC on LinkedIn CAPEC on YouTube CAPEC Out-of-Bounds-Read Podcast CAPEC Blog on Medium Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.	HSSEDI

Common Attack Pattern Enumeration and Classification

CAPEC-662: Adversary in the Browser (AiTB)