Chapter 48 Β· Concepts

On-Path Attack Concepts

ARP operation, ARP poisoning mechanics, on-path vs. on-path browser comparison, and the defense stack in structured reference format.

On-Path Attack vs. On-Path Browser Attack β€” Side-by-Side

PropertyOn-Path Attack (ARP Poisoning)On-Path Browser Attack
Attack LocationNetwork β€” attacker device on the same subnetLocal β€” malware on the victim's own device
MechanismARP cache poisoning redirects traffic through attacker's deviceBrowser-hooking malware intercepts before/after encryption
ScopeAll traffic between two network devices on the same subnetAll browser activity on the infected device
HTTPS Bypassed?Not directly β€” HTTPS content is still encrypted; attacker sees ciphertext unless they also strip TLSYes β€” malware intercepts before TLS encryption and after decryption; plaintext is exposed
Victim AwarenessNone β€” traffic still reaches intended destinationNone β€” browser shows legitimate site; padlock is present
Attacker Location RequiredSame subnet as victimsAnywhere β€” malware delivered remotely
Detection MethodARP cache inspection, anomalous ARP traffic in packet captureEndpoint security; behavioral analysis of browser process
Primary MitigationDynamic ARP Inspection (DAI), network segmentationEndpoint protection, patching, out-of-band transaction verification

Normal ARP Operation β€” Step by Step

1. Laptop needs to reach the router β€” Laptop (IP: 192.168.1.9, MAC: …38:d5) wants to send traffic to the router at 192.168.1.1; checks ARP cache; no entry found
2. ARP broadcast β€” Laptop broadcasts ARP request to entire subnet: "Who has IP 192.168.1.1? Tell me your MAC address." All devices on the subnet receive this frame
3. Router responds β€” Router (IP: 192.168.1.1, MAC: …BB:FE) recognizes its own IP; sends unicast ARP reply directly to the laptop: "I am 192.168.1.1, my MAC is BB:FE"
4. ARP cache update β€” Laptop stores the mapping in its ARP cache: 192.168.1.1 β†’ BB:FE; subsequent traffic to 192.168.1.1 uses MAC BB:FE without broadcasting again
5. Communication proceeds β€” Laptop frames are addressed to MAC BB:FE; switch delivers them to the router; router processes them and replies; traffic flows normally

ARP Poisoning Attack β€” Step by Step

1. Attacker joins the subnet β€” Attacker device (IP: 192.168.1.14, MAC: …EE:FF) connects to the same local subnet as the target laptop and router; no special access required
2. Send forged ARP reply to laptop β€” Attacker sends unsolicited ARP reply to the laptop: "I am 192.168.1.1, my MAC is EE:FF." No ARP request was made β€” the attacker initiates this unprompted. The laptop receives it and updates its ARP cache: 192.168.1.1 β†’ EE:FF (overwrites BB:FE)
3. Send forged ARP reply to router β€” Attacker simultaneously sends unsolicited ARP reply to the router: "I am 192.168.1.9, my MAC is EE:FF." Router updates its ARP cache: 192.168.1.9 β†’ EE:FF (overwrites 38:d5)
4. Traffic redirected through attacker β€” Laptop sends traffic to "the router" β€” looks up 192.168.1.1, gets EE:FF, delivers frames to attacker. Router sends traffic to "the laptop" β€” looks up 192.168.1.9, gets EE:FF, delivers frames to attacker
5. Attacker relays traffic β€” Attacker reads all intercepted traffic, then forwards it to the real destination using the real MAC addresses; both endpoints receive their traffic normally and neither detects the interception
6. Continuous poisoning β€” ARP cache entries expire; attacker repeatedly sends poisoned ARP replies to keep both caches updated with the false MAC address and maintain the on-path position indefinitely

ARP β€” Why No Authentication

ARP was designed in the early 1980s when networks were small, trusted environments. The protocol has no provision for verifying that an ARP reply actually comes from the device that legitimately holds the IP address claimed. Any device can send an ARP reply claiming any IP. Receiving devices have no mechanism to check the claim's authenticity β€” they simply update their caches with whatever they receive.

This is a protocol design limitation, not a bug or misconfiguration. ARP poisoning attacks have been known for decades and remain viable on networks that haven't deployed switch-level controls like Dynamic ARP Inspection. The fundamental ARP protocol itself has never been modified to add authentication β€” the fix is implemented at the switch layer, not in the protocol.

Subnet boundary constraint: ARP only operates within a single Layer 2 network segment (subnet). ARP frames are not routed β€” they cannot cross router boundaries. An attacker must be physically on the same subnet as both victims. This is why network segmentation is a critical defense.

On-Path Browser Attack β€” How It Bypasses HTTPS

1. Malware delivery β€” Victim installs browser-hooking malware via phishing email, drive-by download, or fake software update; malware integrates into the browser at the API level
2. Intercept point β€” before encryption β€” Browser application formats a request (login credentials, bank transfer); before it reaches the TLS layer for encryption, the malware intercepts it in plaintext
3. Normal HTTPS flow continues β€” Malware allows the traffic to proceed; TLS encrypts it normally; the server receives a legitimate HTTPS request; certificate is valid; everything looks normal from the network perspective
4. Intercept point β€” after decryption β€” Server's HTTPS response arrives; TLS decrypts it; before the browser renders it to the user, the malware intercepts the plaintext response
5. Malicious action β€” Malware waits for banking login success; captures session token; silently initiates a background transaction (fund transfer) using the active session; victim's browser shows normal account page
6. Invisible to network monitoring β€” The attack is entirely local to the victim's device; packet captures, network security tools, and firewall logs show only legitimate HTTPS traffic; the attack is undetectable from the network layer

Why HTTPS Doesn't Stop On-Path Browser Attacks

HTTPS (TLS) creates an encrypted tunnel between the browser and the server. This protects data in transit β€” an attacker intercepting network traffic sees only ciphertext. But HTTPS operates at the TLS layer, between the browser and the network.

An on-path browser attack installs itself between the browser's application logic and the TLS layer β€” above the encryption. The malware sees all data before it enters the encrypted tunnel (outbound) and after it exits the tunnel (inbound). From the browser's perspective, it's communicating with the legitimate server over a legitimate HTTPS connection. From the server's perspective, it's receiving legitimate requests from the legitimate user. The padlock icon is accurate β€” the connection is encrypted. But the malware is reading the plaintext on both sides of the encryption.

Exam tip: "HTTPS prevents all on-path attacks" is false. HTTPS prevents network-layer interception of data in transit. It does not prevent on-path browser attacks, which operate inside the victim's own device before encryption is applied.

Defense Stack

ControlAttack AddressedHow
Dynamic ARP Inspection (DAI)ARP poisoningSwitch validates ARP replies against the DHCP snooping binding table; drops spoofed ARP entries; attacker's poisoned ARP replies never reach victims' caches
DHCP SnoopingARP poisoning (supports DAI)Builds the trusted IP-to-MAC-to-port binding table that DAI uses for validation; also prevents rogue DHCP servers
Network Segmentation / VLANsARP poisoningARP operates within a subnet boundary; separating devices into different VLANs prevents an attacker on one segment from poisoning devices on another
Static ARP EntriesARP poisoningManually configured ARP mappings for critical devices (routers, servers) cannot be overwritten by received ARP replies; prevents poisoning of those specific entries
802.1X Port AuthenticationARP poisoningEnsures only authenticated devices can connect to network ports; prevents attacker from connecting a rogue device to the network
HTTPS / TLSNetwork-layer on-path attacksEncrypts data in transit; a network-level on-path attacker sees ciphertext rather than plaintext; does not stop on-path browser attacks
Endpoint Protection SoftwareOn-path browser attacksDetects and removes browser-hooking malware before it can intercept sessions; behavioral analysis identifies API-hooking patterns
Patching / UpdatesOn-path browser attacksMost browser malware exploits known, patched vulnerabilities; keeping browsers and OS current closes the delivery vector
Out-of-Band Transaction VerificationOn-path browser attacksSMS or separate app confirmation for financial transactions; browser malware can't intercept a confirmation sent to a separate device

ARP Poisoning β€” Subnet Boundary Limitation

ScenarioARP Poisoning Possible?Why
Attacker on same /24 subnet as victimYesARP operates within the subnet; attacker can send ARP replies to all devices on the segment
Attacker on a different VLANNoVLANs are separate Layer 2 domains; ARP frames don't cross VLAN boundaries
Attacker on a different subnet, separated by a routerNoRouters do not forward ARP frames; ARP is scoped to one network segment
Attacker connected to same physical switch, same VLANYesSame Layer 2 domain; ARP frames reach all ports in the VLAN
Attacker connected via VPN to the internal networkDependsIf the VPN gives the attacker an IP on the target subnet without Layer 2 isolation, ARP may be reachable; properly implemented VPN gateways segment Layer 2