On-Path Attack vs. On-Path Browser Attack β Side-by-Side
| Property | On-Path Attack (ARP Poisoning) | On-Path Browser Attack |
|---|---|---|
| Attack Location | Network β attacker device on the same subnet | Local β malware on the victim's own device |
| Mechanism | ARP cache poisoning redirects traffic through attacker's device | Browser-hooking malware intercepts before/after encryption |
| Scope | All traffic between two network devices on the same subnet | All browser activity on the infected device |
| HTTPS Bypassed? | Not directly β HTTPS content is still encrypted; attacker sees ciphertext unless they also strip TLS | Yes β malware intercepts before TLS encryption and after decryption; plaintext is exposed |
| Victim Awareness | None β traffic still reaches intended destination | None β browser shows legitimate site; padlock is present |
| Attacker Location Required | Same subnet as victims | Anywhere β malware delivered remotely |
| Detection Method | ARP cache inspection, anomalous ARP traffic in packet capture | Endpoint security; behavioral analysis of browser process |
| Primary Mitigation | Dynamic ARP Inspection (DAI), network segmentation | Endpoint protection, patching, out-of-band transaction verification |
Normal ARP Operation β Step by Step
ARP Poisoning Attack β Step by Step
ARP β Why No Authentication
ARP was designed in the early 1980s when networks were small, trusted environments. The protocol has no provision for verifying that an ARP reply actually comes from the device that legitimately holds the IP address claimed. Any device can send an ARP reply claiming any IP. Receiving devices have no mechanism to check the claim's authenticity β they simply update their caches with whatever they receive.
This is a protocol design limitation, not a bug or misconfiguration. ARP poisoning attacks have been known for decades and remain viable on networks that haven't deployed switch-level controls like Dynamic ARP Inspection. The fundamental ARP protocol itself has never been modified to add authentication β the fix is implemented at the switch layer, not in the protocol.
Subnet boundary constraint: ARP only operates within a single Layer 2 network segment (subnet). ARP frames are not routed β they cannot cross router boundaries. An attacker must be physically on the same subnet as both victims. This is why network segmentation is a critical defense.
On-Path Browser Attack β How It Bypasses HTTPS
Why HTTPS Doesn't Stop On-Path Browser Attacks
HTTPS (TLS) creates an encrypted tunnel between the browser and the server. This protects data in transit β an attacker intercepting network traffic sees only ciphertext. But HTTPS operates at the TLS layer, between the browser and the network.
An on-path browser attack installs itself between the browser's application logic and the TLS layer β above the encryption. The malware sees all data before it enters the encrypted tunnel (outbound) and after it exits the tunnel (inbound). From the browser's perspective, it's communicating with the legitimate server over a legitimate HTTPS connection. From the server's perspective, it's receiving legitimate requests from the legitimate user. The padlock icon is accurate β the connection is encrypted. But the malware is reading the plaintext on both sides of the encryption.
Exam tip: "HTTPS prevents all on-path attacks" is false. HTTPS prevents network-layer interception of data in transit. It does not prevent on-path browser attacks, which operate inside the victim's own device before encryption is applied.
Defense Stack
| Control | Attack Addressed | How |
|---|---|---|
| Dynamic ARP Inspection (DAI) | ARP poisoning | Switch validates ARP replies against the DHCP snooping binding table; drops spoofed ARP entries; attacker's poisoned ARP replies never reach victims' caches |
| DHCP Snooping | ARP poisoning (supports DAI) | Builds the trusted IP-to-MAC-to-port binding table that DAI uses for validation; also prevents rogue DHCP servers |
| Network Segmentation / VLANs | ARP poisoning | ARP operates within a subnet boundary; separating devices into different VLANs prevents an attacker on one segment from poisoning devices on another |
| Static ARP Entries | ARP poisoning | Manually configured ARP mappings for critical devices (routers, servers) cannot be overwritten by received ARP replies; prevents poisoning of those specific entries |
| 802.1X Port Authentication | ARP poisoning | Ensures only authenticated devices can connect to network ports; prevents attacker from connecting a rogue device to the network |
| HTTPS / TLS | Network-layer on-path attacks | Encrypts data in transit; a network-level on-path attacker sees ciphertext rather than plaintext; does not stop on-path browser attacks |
| Endpoint Protection Software | On-path browser attacks | Detects and removes browser-hooking malware before it can intercept sessions; behavioral analysis identifies API-hooking patterns |
| Patching / Updates | On-path browser attacks | Most browser malware exploits known, patched vulnerabilities; keeping browsers and OS current closes the delivery vector |
| Out-of-Band Transaction Verification | On-path browser attacks | SMS or separate app confirmation for financial transactions; browser malware can't intercept a confirmation sent to a separate device |
ARP Poisoning β Subnet Boundary Limitation
| Scenario | ARP Poisoning Possible? | Why |
|---|---|---|
| Attacker on same /24 subnet as victim | Yes | ARP operates within the subnet; attacker can send ARP replies to all devices on the segment |
| Attacker on a different VLAN | No | VLANs are separate Layer 2 domains; ARP frames don't cross VLAN boundaries |
| Attacker on a different subnet, separated by a router | No | Routers do not forward ARP frames; ARP is scoped to one network segment |
| Attacker connected to same physical switch, same VLAN | Yes | Same Layer 2 domain; ARP frames reach all ports in the VLAN |
| Attacker connected via VPN to the internal network | Depends | If the VPN gives the attacker an IP on the target subnet without Layer 2 isolation, ARP may be reachable; properly implemented VPN gateways segment Layer 2 |