CAPEC Details
Name Adversary in the Browser (AiTB)
Likelyhood of attack Typical severity
High Very High
Summary An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints. This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.
Prerequisites The adversary must install or convince a user to install a Trojan. There are two components communicating with each other. An attacker is able to identify the nature and mechanism of communication between the two target components. Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition. For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.
Execution Flow
Step Phase Description Techniques
1 Experiment The adversary tricks the victim into installing the Trojan Horse malware onto their system.
  • Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.
2 Experiment The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.
3 Exploit The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.
Solutions Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component. Leverage anti-malware tools, which can detect Trojan Horse malware. Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel. Limit user permissions to prevent browser pivoting. Ensure browser sessions are regularly terminated and when their effective lifetime ends.
Related Weaknesses
CWE ID Description
CWE-300 Channel Accessible by Non-Endpoint
CWE-494 Download of Code Without Integrity Check
Related CAPECS
CAPEC ID Description
CAPEC-94 An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.
Taxonomy: ATTACK
Entry ID Entry Name
1185 Man in the Browser
Taxonomy: OWASP Attacks
Entry ID Entry Name
Link Man-in-the-browser attack