A man-in-the-middle (MITM) attack is a cybersecurity threat in which a hacker monitors a communications channel between two parties and intercepts data payloads in transit. This occurs during client-server communication, or when two software programs transmit information back and forth (common in microservices architectures).
MITM attacks attempt to steal sensitive data in real time or perform other malicious actions, such as adding a fake "update needed" screen to drive malware installation. Hackers can also manipulate messages to alter conversations between two human users—or even trick users into performing actions that expose personal info and credentials. Deception and eavesdropping are hallmarks of MITM attacks.
However, a human hacker doesn't need to directly orchestrate an attack. Bots, malware programs, and other devices can capture data automatically for an attacker to inspect later on. Alternatively, they can automatically perform actions such as injecting advertisements into other pages.
This reality and cultural shifts in the industry have birthed new terminology for these MITM threats. Terms such as adversary-in-the-middle, on-path attacks, and others have gradually gained popularity.
How do man-in-the-middle (MITM) attacks work?
Man-in-the-middle attacks have both technical and social-engineering components. The misdirection baked into attacks (such as phishing or serving users counterfeit webpages) is often accompanied by code injection or other mechanisms that leverage website vulnerabilities.
They generally start by gaining access to a victim's network traffic or directing them to a fake domain that proxies to the real one. Once that is done the attacker (or the attackers software) will select the sites it wants to attack and use tools to get around security by attempting to rewrite HTTPS links to HTTP and similar (sometimes replacing the favicon with a padlock to try and avoid notice). Finally, they'll collect passwords, cookies, and/or OTP codes for their own gain.
A number of methods are used to support MITM attacks:
Domain impersonation, where an attacker gets a victim to access a dangerous URL similar to one they were expecting. This false site then proxies to the real one after information is stolen or modified
IP address and Address Resolution Protocol (ARP) spoofing, where an improperly secured network routes a victim's traffic to an attacker instead of the desired address
DNS record spoofing, to serve an attacker's IP address instead of the true IP address for a given resource
SSL/TLS disruption, to prevent HTTPS connections from being made and promptly steal data. Attackers replace HTTPS links with HTTP versions on insecure websites to modify or steal a visitor's data.
HTTPS spoofing, where attackers serve clients a fake HTTPS certificate and convince them to accept it via social engineering. This method relies on users accepting a browser's security warning and continuing anyway, or loading (or using an existing) malicious certificate authority loaded onto the system.
There are also different types of MITM attack types:
WiFi eavesdropping – Hackers can operate infected, cleverly-named public hotspots and networks that look official, baiting unsuspecting users to connect and compromise their security.
Session hijacking – Hackers steal a user's session cookies to grab embedded information, or impersonate other online entities for a relatively short period of time
Email hijacking – Hackers can impersonate a legitimate business via email (using what appears to be a legitimate address) to monitor transactions or solicit personal details. This is common in sensitive industries such as real estate (sending payments to falsified routing numbers), banking, and government.
While man-in-the-middle attacks widely vary, important countermeasures such as HTTP Strict Transport Security (HSTS) and end-to-end encryption can help keep attackers at bay.
How does HAProxy address man-in-the-middle (MITM) attacks?
HAProxy offers multiple measures to combat MITM attacks. Our products deliver widespread HTTPS support—including easy inclusion of the Strict-Transport-Security response header—and configurable redirects to help prevent malicious activity.
To learn more about MITM mitigation in HAProxy, check out our HAProxy & HTTP Strict Transport Security (HSTS) blog post or our HTTP redirects documentation.
