In a web application, there are two actors usually: the client and the server. The third entity that remains unnoticed most of the times is the communication channel. This channel can be a wired connection or a wireless one. There can be one or more servers in the way forwarding your request to the destination server in the most efficient way possible. These are known as Proxy servers.
When there is an unwanted proxy in the network intercepting and modifying the requests/responses, this proxy is called a Man in the middle. The network then is said to be under a Man in the middle attack. The interesting point lies in the fact that this rogue proxy is often misunderstood as a legitimate endpoint in a communication by the other endpoint. (It works as a server for the client and as a client for the server).
For example, suppose you are connected to a WiFi network and doing a transaction with your bank. An attacker is also connected to the same WiFi. The attacker does the following:
- Attacker sends the rogue ARP packets in the network that map the IP address of the access point to the MAC address of attacker’s device.
- Each device connected in the network caches the entry contained in the rogue packets.
- Your device uses ARP to send the packets destined for your bank’s web server to the access point ( which is the default gateway for the network).
- The packets get sent to the attacker’s machine.
- Attacker can now read and modify the requests contained in the packets before forwarding them.
This way the attacker is suitably situated between you and your bank’s server. Every bit of sensitive data that you send to your server including your login password, is visible to the attacker. ARP cache poisoning is one of the many ways to perform an MITM attack; other ways are –
- DNS spoofing.
- IP spoofing.
- Setting up a rogue WiFi AP.
- SSL spoofing. etc.
Use of SSL can prevent these attacks from being successful. Since the data is encrypted and only legitimate endpoints have the key to decrypt it, the attacker can do very less from the data even if he gets access to it.
(SSL is only useful if its set up properly, there are ways to circumvent this protection mechanism too, but they are very hard to be carried out). But the attacker can still do a lot of damage if the web application with which the user has been interacting does not utilize the use of something called nonce. The attacker can capture the encrypted request, for the entire session and then carefully resend the requests used for logging in. This way the attacker will get access to your account without knowing your password. Using nonce prevents such “replay attacks”. A nonce is a unique number that is sent by the server to the client prior to login. It is submitted with the username and password and is invalidated after a single use.
There are some things that can be done to avoid falling a victim to the MITM and related attacks. One should :
- Always use trusted networks and devices to log in to sensitive websites.
- Avoid connecting to a WiFi that is open(unencrypted).
- Keeping networks secure from unwanted external access .
- In case you have to use a public computer, check its browser for the presence of any rogue certificate and make sure that there aren’t any. Check the hosts’ file too.
- When connected to a public network or using a public computer, perform a traceroute to the website you want to access and see the route taken by the packets for anything suspicious. For example, packets going to an IP different than the IP whose last octet is 1 (the IP of your gateway).