• Tìm kiếm

What is MITM (Man in the Middle) Attack | Imperva

  • 45,000
  • Tác giả: admin
  • Ngày đăng: 01:45 14/12/2024
  • Lượt xem: 45
  • Tình trạng: Còn hàng

What is MITM attack

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to tướng eavesdrop or to tướng impersonate one of the parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is to tướng steal personal information, such as login credentials, tài khoản details and credit thẻ numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.

Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers or an illicit password change.

Additionally, it can be used to tướng gain a foothold inside a secured perimeter during the infiltration stage of an advanced persistent threat (APT) assault.

Broadly speaking, a MITM attack is the equivalent of a mailman opening your ngân hàng statement, writing down your tài khoản details and then resealing the envelope and delivering it to tướng your door.

man in the middle mitm attack

Man in the middle attack example

MITM attack progression

Successful MITM execution has two distinct phases: interception and decryption.

Interception

The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.

The most common (and simplest) way of doing this is a passive attack in which an attacker makes không lấy phí, malicious WiFi hotspots available to tướng the public. Typically named in a way that corresponds to tướng their location, they aren’t password protected. Once a victim connects to tướng such a hotspot, the attacker gains full visibility to tướng any online data exchange.

Attackers wishing to tướng take a more active approach to tướng interception may launch one of the following attacks:

  • IP spoofing involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to tướng access a URL connected to tướng the application are sent to tướng the attacker’s trang web.
  • ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using kém chất lượng ARP messages. As a result, data sent by the user to tướng the host IP address is instead transmitted to tướng the attacker.
  • DNS spoofing, also known as DNS cache poisoning, involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to tướng access the site are sent by the altered DNS record to tướng the attacker’s site.

Decryption

After interception, any two-way SSL traffic needs to tướng be decrypted without alerting the user or application. A number of methods exist to tướng achieve this:

  • HTTPS spoofing sends a phony certificate to tướng the victim’s browser once the initial connection request to tướng a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to tướng an existing list of trusted sites. The attacker is then able to tướng access any data entered by the victim before it’s passed to tướng the application.
  • SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a trang web application. Then the app’s cipher block chaining (CBC) is compromised sánh as to tướng decrypt its cookies and authentication tokens.
  • SSL hijacking occurs when an attacker passes forged authentication keys to tướng both the user and application during a TCP handshake. This sets up what appears to tướng be a secure connection when, in fact, the man in the middle controls the entire session.
  • SSL stripping downgrades a HTTPS connection to tướng HTTP by intercepting the TLS authentication sent from the application to tướng the user. The attacker sends an unencrypted version of the application’s site to tướng the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to tướng the attacker.

Man in the middle attack prevention

Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.

For users, this means:

  • Avoiding WiFi connections that aren’t password protected.
  • Paying attention to tướng browser notifications reporting a trang web as being unsecured.
  • Immediately logging out of a secure application when it’s not in use.
  • Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.

For trang web operators, secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing sánh prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens.

It is considered best practice for applications to tướng use SSL/TLS to tướng secure every page of their site and not just the pages that require users to tướng log in. Doing sánh helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a trang web while logged in.’

Using Imperva to tướng protect against MITM

MITM attacks often occur due to tướng suboptimal SSL/TLS implementations, lượt thích the ones that enable the SSL BEAST exploit or supporting the use of outdated and under-secured ciphers.

To counter these, Imperva provides its customer with an optimized end-to-end SSL/TLS encryption, as part of its suite of security services.

Hosted on Imperva content delivery network (CDN), the certificates are optimally implemented to tướng prevent SSL/TLS compromising attacks, such as downgrade attacks (e.g. SSL stripping), and to tướng ensure compliancy with latest PCI DSS demands.

Offered as a managed service, SSL/TLS configuration is kept up to tướng date maintained by a professional security, both to tướng keep up with compliency demands and to tướng counter emerging threats (e.g. Heartbleed).

Finally, with the Imperva cloud dashboard, customer can also configure HTTP Strict Transport Security (HSTS) policies to tướng enforce the use SSL/TLS security across multiple subdomains. This helps further secure trang web and trang web application from protocol downgrade attacks and cookie hijacking attempts.