A man-in-the-middle (MitM) attack is a category of interception in which an attacker secretly positions themselves between two communicating parties, relaying messages and often modifying them, while each party believes they are talking directly to the other. The attacker can read confidential data, harvest credentials, inject malicious payloads, or downgrade encrypted sessions to weaker variants.
How MitM attacks work
The attacker establishes a position on the network path between the victims. This can be achieved on a local network through ARP spoofing or DHCP poisoning, on Wi-Fi through a rogue access point that mimics a legitimate SSID, on the internet through DNS hijacking or BGP route manipulation, and in TLS sessions through stolen or rogue certificate authorities. Once positioned, the attacker terminates the victim connection on one side, opens a parallel connection to the real destination, and acts as a transparent proxy.
Common techniques
ARP spoofing sends forged Address Resolution Protocol responses on a LAN so that traffic intended for a gateway is delivered to the attacker first.
Evil twin Wi-Fi broadcasts a network with the same name as a trusted hotspot. Devices that have connected before may automatically join and route traffic through the rogue access point.
SSL stripping intercepts HTTP-to-HTTPS redirects and keeps the user on plain HTTP, allowing the attacker to read everything in the clear.
Session hijacking steals a valid session cookie, often during an active MitM, and replays it to take over the authenticated session.
Defending against MitM
End-to-end encryption with proper certificate validation is the strongest control. Enforce HSTS so browsers refuse plain-HTTP downgrade. Use certificate transparency monitoring and certificate pinning for high-value services. Disable insecure protocols such as TLS 1.0 and SSLv3. Discourage users from accessing sensitive services over untrusted Wi-Fi without a VPN. On internal networks, use dynamic ARP inspection and DHCP snooping at the switch layer to prevent local spoofing.
Related terms
See also: ARP scan, SSL, and wireless network penetration testing.
Leave a Reply