Update MITM to Machine-in-the-Middle #3175
Open
+28
−32
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cpholguera
requested changes
Feb 23, 2025
cpholguera
changed the title
|
What is the reason for this change? I think MITM is a longstanding abbreviation, I wonder where the "machine" comes from? |
Co-authored-by: Carlos Holguera <[email protected]>
Co-authored-by: Carlos Holguera <[email protected]>
Co-authored-by: Carlos Holguera <[email protected]>
sushi2k
commented
Feb 24, 2025
|
@titze We made this change as part of a broader effort to remove gendered language from our documentation, following feedback we received some time ago. Our style guide now explicitly states that we should use gender-neutral terminology, and "man-in-the-middle" was one of the remaining terms that needed updating. When evaluating alternatives, our primary goal was to maintain clear communication while also keeping the familiar acronym (MITM). We considered options like "adversary-in-the-middle" and "person-in-the-middle," but we wanted to preserve the "M" in MITM for consistency. Ultimately, we settled on "Machine-in-the-Middle" because, in most cases, even if an attack is orchestrated by a person, it is executed through a machine that intercepts communication. Also, to clarify, we didn't create the term, it is already being used in the community. To ensure clarity, we will continue to reference the original term but only in the definition of the MITM term. |
cpholguera
reviewed
Feb 24, 2025
| @@ -89,4 +89,4 @@ protected void onResume() { | |||
|
|
|||
| In order to test for proper updating: try downloading an older version of the application with a security vulnerability, either by a release from the developers or by using a third party app-store. | |||
| Next, verify whether or not you can continue to use the application without updating it. If an update prompt is given, verify if you can still use the application by canceling the prompt or otherwise circumventing it through normal application usage. This includes validating whether the backend will stop calls to vulnerable backends and/or whether the vulnerable app-version itself is blocked by the backend. | |||
| Lastly, see if you can play with the version number of a man-in-the-middled app and see how the backend responds to this (and if it is recorded at all for instance). | |||
| Lastly, see if you can play with the version number of a "machine-in-the-middled" app and see how the backend responds to this (and if it is recorded at all for instance). | |||
There was a problem hiding this comment.
Suggested change
| Lastly, see if you can play with the version number of a "machine-in-the-middled" app and see how the backend responds to this (and if it is recorded at all for instance). | |
| Lastly, try modifying the version number of an app while intercepting its traffic using a MIMT proxy, and observe how the backend responds (including whether the change is recorded, for example). |
|
@cpholguera thanks for the clarification! Should we add a glossary somewhere, explaining this (maybe there are more cases like this)? I feel the classic definition of MITM is so widely used, that it will at least somewhat confuse people. Especially since it seems that machine-in-the-middle is used in some literature to clearly indicate that this is not a person, but some automated machine. |
cpholguera
requested changes
Feb 26, 2025
| @@ -6,7 +6,7 @@ source: https://portswigger.net/burp/communitydownload | |||
|
|
|||
| Burp Suite is an integrated platform for performing security testing mobile and web applications. | |||
|
|
|||
| Its tools work together seamlessly to support the entire testing process, from initial mapping and analysis of attack surfaces to finding and exploiting security vulnerabilities. Burp Proxy operates as a web proxy server for Burp Suite, which is positioned as a man-in-the-middle between the browser and web servers. Burp Suite allows you to intercept, inspect, and modify incoming and outgoing raw HTTP traffic. | |||
| Its tools work together seamlessly to support the entire testing process, from initial mapping and analysis of attack surfaces to finding and exploiting security vulnerabilities. Burp Proxy operates as a web proxy server for Burp Suite, which is positioned as a Machine-in-the-Middle between the browser and web servers. Burp Suite allows you to intercept, inspect, and modify incoming and outgoing raw HTTP traffic. | |||
There was a problem hiding this comment.
Suggested change
| Its tools work together seamlessly to support the entire testing process, from initial mapping and analysis of attack surfaces to finding and exploiting security vulnerabilities. Burp Proxy operates as a web proxy server for Burp Suite, which is positioned as a Machine-in-the-Middle between the browser and web servers. Burp Suite allows you to intercept, inspect, and modify incoming and outgoing raw HTTP traffic. | |
| Its tools work together seamlessly to support the entire testing process, from initial mapping and analysis of attack surfaces to finding and exploiting security vulnerabilities. Burp Proxy operates as a web proxy server for Burp Suite, which is positioned as a Machine-in-the-Middle (MITM) between the browser and web servers. Burp Suite allows you to intercept, inspect, and modify incoming and outgoing raw HTTP traffic. |
| @@ -4,7 +4,7 @@ platform: network | |||
| source: https://github.com/bettercap/bettercap | |||
| --- | |||
|
|
|||
| A powerful framework which aims to offer to security researchers and reverse engineers an easy to use, all-in-one solution for Wi-Fi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance. It can be used during network penetration tests in order to simulate a man-in-the-middle (MITM) attack. This is achieved by executing [ARP poisoning or spoofing](https://en.wikipedia.org/wiki/ARP_spoofing "ARP poisoning/spoofing") to the target computers. When such an attack is successful, all packets between two computers are redirected to a third computer that acts as the man-in-the-middle and is able to intercept the traffic for analysis. | |||
| A powerful framework which aims to offer to security researchers and reverse engineers an easy to use, all-in-one solution for Wi-Fi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance. It can be used during network penetration tests in order to simulate a Machine-in-the-Middle (MITM) attack. This is achieved by executing [ARP poisoning or spoofing](https://en.wikipedia.org/wiki/ARP_spoofing "ARP poisoning/spoofing") to the target computers. When such an attack is successful, all packets between two computers are redirected to a third computer that acts as the Machine-in-the-Middle and is able to intercept the traffic for analysis. | |||
There was a problem hiding this comment.
Suggested change
| A powerful framework which aims to offer to security researchers and reverse engineers an easy to use, all-in-one solution for Wi-Fi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance. It can be used during network penetration tests in order to simulate a Machine-in-the-Middle (MITM) attack. This is achieved by executing [ARP poisoning or spoofing](https://en.wikipedia.org/wiki/ARP_spoofing "ARP poisoning/spoofing") to the target computers. When such an attack is successful, all packets between two computers are redirected to a third computer that acts as the Machine-in-the-Middle and is able to intercept the traffic for analysis. | |
| A powerful framework which aims to offer to security researchers and reverse engineers an easy to use, all-in-one solution for Wi-Fi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks reconnaissance. It can be used during network penetration tests in order to simulate a Machine-in-the-Middle (MITM) attack. This is achieved by executing [ARP poisoning or spoofing](https://en.wikipedia.org/wiki/ARP_spoofing "ARP poisoning/spoofing") to the target computers. When such an attack is successful, all packets between two computers are redirected to a third computer that acts as the MITM and is able to intercept the traffic for analysis. |
| @@ -14,7 +14,7 @@ masvs_v1_levels: | |||
|
|
|||
| ## Static Analysis | |||
|
|
|||
| Using TLS to transport sensitive information over the network is essential for security. However, encrypting communication between a mobile application and its backend API is not trivial. Developers often decide on simpler but less secure solutions (e.g., those that accept any certificate) to facilitate the development process, and sometimes these weak solutions make it into the production version, potentially exposing users to [man-in-the-middle attacks](https://cwe.mitre.org/data/definitions/295.html "CWE-295: Improper Certificate Validation"). | |||
| Using TLS to transport sensitive information over the network is essential for security. However, encrypting communication between a mobile application and its backend API is not trivial. Developers often decide on simpler but less secure solutions (e.g., those that accept any certificate) to facilitate the development process, and sometimes these weak solutions make it into the production version, potentially exposing users to [Machine-in-the-Middle attacks](https://cwe.mitre.org/data/definitions/295.html "CWE-295: Improper Certificate Validation"). | |||
There was a problem hiding this comment.
Suggested change
| Using TLS to transport sensitive information over the network is essential for security. However, encrypting communication between a mobile application and its backend API is not trivial. Developers often decide on simpler but less secure solutions (e.g., those that accept any certificate) to facilitate the development process, and sometimes these weak solutions make it into the production version, potentially exposing users to [Machine-in-the-Middle attacks](https://cwe.mitre.org/data/definitions/295.html "CWE-295: Improper Certificate Validation"). | |
| Using TLS to transport sensitive information over the network is essential for security. However, encrypting communication between a mobile application and its backend API is not trivial. Developers often decide on simpler but less secure solutions (e.g., those that accept any certificate) to facilitate the development process, and sometimes these weak solutions make it into the production version, potentially exposing users to Machine-in-the-Middle (MITM) attacks. See ["CWE-295: Improper Certificate Validation"](https://cwe.mitre.org/data/definitions/295.html "CWE-295: Improper Certificate Validation"). |
| @@ -60,7 +60,7 @@ The result of the steps above can now be used as input for searching different v | |||
| > | |||
| > 1. If the developer packs all dependencies in terms of its own support library using a .podspec file, then this .podspec file can be checked with the experimental CocoaPods podspec checker. | |||
| > 2. If the project uses CocoaPods in combination with Objective-C, SourceClear can be used. | |||
| > 3. Using CocoaPods with HTTP-based links instead of HTTPS might allow for man-in-the-middle attacks during the download of the dependency, allowing an attacker to replace (parts of) the library with other content. Therefore, always use HTTPS. | |||
| > 3. Using CocoaPods with HTTP-based links instead of HTTPS might allow for Machine-in-the-Middle attacks during the download of the dependency, allowing an attacker to replace (parts of) the library with other content. Therefore, always use HTTPS. | |||
There was a problem hiding this comment.
Suggested change
| > 3. Using CocoaPods with HTTP-based links instead of HTTPS might allow for Machine-in-the-Middle attacks during the download of the dependency, allowing an attacker to replace (parts of) the library with other content. Therefore, always use HTTPS. | |
| > 3. Using CocoaPods with HTTP-based links instead of HTTPS might allow for Machine-in-the-Middle (MITM) attacks during the download of the dependency, allowing an attacker to replace (parts of) the library with other content. Therefore, always use HTTPS. |
| @@ -162,7 +162,7 @@ Hybrid applications based on Cordova do not support Certificate Pinning natively | |||
| function errorCallback(message) { | |||
| alert(message); | |||
| if (message === "CONNECTION_NOT_SECURE") { | |||
| // There is likely a man in the middle attack going on, be careful! | |||
| // There is likely a Machine-in-the-Middle attack going on, be careful! | |||
There was a problem hiding this comment.
Suggested change
| // There is likely a Machine-in-the-Middle attack going on, be careful! | |
| // There is likely a MITM attack going on, be careful! |
| @@ -458,7 +458,7 @@ When testing a Xamarin app and when you are trying to set the system proxy in th | |||
| WebRequest.DefaultWebProxy = new WebProxy("192.168.11.1", 8080); | |||
| ``` | |||
|
|
|||
| - 2nd way: Use bettercap in order to get a man-in-the-middle position (MITM), see the section above about how to setup a MITM attack. When being MITM you only need to redirect port 443 to your interception proxy running on localhost. This can be done by using the command `rdr` on macOS: | |||
| - 2nd way: Use bettercap in order to get a Machine-in-the-Middle position (MITM), see the section above about how to setup a MITM attack. When being MITM you only need to redirect port 443 to your interception proxy running on localhost. This can be done by using the command `rdr` on macOS: | |||
There was a problem hiding this comment.
Suggested change
| - 2nd way: Use bettercap in order to get a Machine-in-the-Middle position (MITM), see the section above about how to setup a MITM attack. When being MITM you only need to redirect port 443 to your interception proxy running on localhost. This can be done by using the command `rdr` on macOS: | |
| - 2nd way: Use bettercap in order to get a MITM position, see the section above about how to setup a MITM attack. When being MITM you only need to redirect port 443 to your interception proxy running on localhost. This can be done by using the command `rdr` on macOS: |
| @@ -324,7 +324,7 @@ In both cases the AP needs to be configured to point to your host computer's IP. | |||
|
|
|||
| #### Installation | |||
|
|
|||
| The following procedure is setting up a man-in-the-middle position using an access point and an additional network interface: | |||
| The following procedure is setting up a Machine-in-the-Middle position using an access point and an additional network interface: | |||
There was a problem hiding this comment.
Suggested change
| The following procedure is setting up a Machine-in-the-Middle position using an access point and an additional network interface: | |
| The following procedure is setting up a MITM position using an access point and an additional network interface: |
|
|
||
| Following scenarios are possible: | ||
|
|
||
| - Use your host computer's built-in WiFi card as an access point and use your wired connection to connect to the target network. | ||
| - Use an external USB WiFi card as an access point and use your host computer's built-in WiFi to connect to the target network (can be vice-versa). | ||
| - Use a separate access point and redirect the traffic to your host computer. | ||
|
|
||
| The scenario with an external USB WiFi card require that the card has the capability to create an access point. Additionally, you need to install some tools and/or configure the network to enforce a man-in-the-middle position (see below). You can verify if your WiFi card has AP capabilities by using the command `iwconfig` on Kali Linux: | ||
| The scenario with an external USB WiFi card require that the card has the capability to create an access point. Additionally, you need to install some tools and/or configure the network to enforce a Machine-in-the-Middle position (see below). You can verify if your WiFi card has AP capabilities by using the command `iwconfig` on Kali Linux: |
There was a problem hiding this comment.
Suggested change
| The scenario with an external USB WiFi card require that the card has the capability to create an access point. Additionally, you need to install some tools and/or configure the network to enforce a Machine-in-the-Middle position (see below). You can verify if your WiFi card has AP capabilities by using the command `iwconfig` on Kali Linux: | |
| The scenario with an external USB WiFi card require that the card has the capability to create an access point. Additionally, you need to install some tools and/or configure the network to enforce a MITM position (see below). You can verify if your WiFi card has AP capabilities by using the command `iwconfig` on Kali Linux: |
| @@ -291,21 +291,21 @@ On the mobile phone start the browser and navigate to `http://example.com`, you | |||
|
|
|||
| If that's the case, you are now able to see the complete network traffic that is sent and received by the mobile phone. This includes also DNS, DHCP and any other form of communication and can therefore be quite "noisy". You should therefore know how to use [DisplayFilters in Wireshark](https://wiki.wireshark.org/DisplayFilters "DisplayFilters") or know [how to filter in tcpdump](https://danielmiessler.com/study/tcpdump/#gs.OVQjKbk "A tcpdump Tutorial and Primer with Examples") to focus only on the relevant traffic for you. | |||
|
|
|||
| > Man-in-the-middle attacks work against any device and operating system as the attack is executed on OSI Layer 2 through ARP Spoofing. When you are MITM you might not be able to see clear text data, as the data in transit might be encrypted by using TLS, but it will give you valuable information about the hosts involved, the protocols used and the ports the app is communicating with. | |||
| > Machine-in-the-Middle attacks work against any device and operating system as the attack is executed on OSI Layer 2 through ARP Spoofing. When you are MITM you might not be able to see clear text data, as the data in transit might be encrypted by using TLS, but it will give you valuable information about the hosts involved, the protocols used and the ports the app is communicating with. | |||
There was a problem hiding this comment.
Suggested change
| > Machine-in-the-Middle attacks work against any device and operating system as the attack is executed on OSI Layer 2 through ARP Spoofing. When you are MITM you might not be able to see clear text data, as the data in transit might be encrypted by using TLS, but it will give you valuable information about the hosts involved, the protocols used and the ports the app is communicating with. | |
| > MITM attacks work against any device and operating system as the attack is executed on OSI Layer 2 through ARP Spoofing. When you are MITM you might not be able to see clear text data, as the data in transit might be encrypted by using TLS, but it will give you valuable information about the hosts involved, the protocols used and the ports the app is communicating with. |
| @@ -221,7 +221,7 @@ Some of the best practices include but are not limited to: | |||
|
|
|||
| - **User agent:** | |||
| - The user should have a way to visually verify trust (e.g., Transport Layer Security (TLS) confirmation, website mechanisms). | |||
| - To prevent man-in-the-middle attacks, the client should validate the server's fully qualified domain name with the public key the server presented when the connection was established. | |||
| - To prevent Machine-in-the-Middle attacks, the client should validate the server's fully qualified domain name with the public key the server presented when the connection was established. | |||
There was a problem hiding this comment.
Suggested change
| - To prevent Machine-in-the-Middle attacks, the client should validate the server's fully qualified domain name with the public key the server presented when the connection was established. | |
| - To prevent Machine-in-the-Middle (MITM) attacks, the client should validate the server's fully qualified domain name with the public key the server presented when the connection was established. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the term "Man-in-the-Middle" to "Machine-in-the-Middle" across the MASTG.
This change is part of a broader effort to remove gendered language from our documentation, following feedback we received some time ago. Our style guide now explicitly states that we should use gender-neutral terminology, and "man-in-the-middle" was one of the remaining terms that needed updating.
When evaluating alternatives, our primary goal was to maintain clear communication while also keeping the familiar acronym (MITM). We considered options like "adversary-in-the-middle" and "person-in-the-middle," but we wanted to preserve the "M" in MITM for consistency. Ultimately, we settled on "Machine-in-the-Middle" because, in most cases, even if an attack is orchestrated by a person, it is executed through a machine that intercepts communication.
To ensure clarity, we will continue to reference the original term but only in the definition of the MITM term.