Man-in-the-Middle Injection
Man-in-the-Middle (MitM) Injection is a sophisticated Content Injection subtechnique within the Gain Access tactic where an attacker intercepts communication between two parties and actively injects malicious content without either party's knowledge. During this attack, the adversary positions themselves between a client and server, intercepting legitimate traffic and then modifying the data stream to introduce malicious payloads such as JavaScript, HTML, or even binary content. This technique exploits weaknesses in network security, unencrypted communications, flawed certificate validation, or compromised network infrastructure. Successful MitM injections can lead to session hijacking, credential theft, malicious redirects, or the execution of arbitrary code in the victim's browser context, ultimately granting the attacker unauthorized access to applications or systems. Unlike other Content Injection methods that target vulnerabilities in the application itself, MitM Injection operates at the network level, making it particularly dangerous for users on unsecured networks or when TLS/SSL implementations are improperly configured.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1037 | Filter Network Traffic | Enforce HSTS, certificate pinning, and mTLS to prevent downgrade to plaintext where injection is possible. |
| M1040 | Behavior Prevention on Endpoint | Deploy client-side script integrity checks (SRI) and CSP to block execution of unauthorised injected resources. |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0029 | Network Traffic Content | Detect certificate mismatches, unexpected CAs, or mixed-content warnings in TLS sessions indicative of MITM interception. |
| DS0042 | User Interface | Collect client telemetry for script integrity errors (e.g., SRI hash mismatch) signalling injected code. |