ALPACA, a new type of Man in the middle attack in HTTPS

The news was recently released by a group of researchers from various universities in Germany, the oness has developed a new MITM attack method against HTTPS, which allows to extract cookies with session IDs and other sensitive data, as well as to execute arbitrary JavaScript code in the context of another site.

The attack is called ALPACA and can be applied to TLS servers They implement different application layer protocols (HTTPS, SFTP, SMTP, IMAP, POP3), but use common TLS certificates.

The essence of the attack is that if there is control over a gateway network or wireless access point, an attacker can redirect traffic to a different network port and arrange to establish a connection not to an HTTP server, but to an FTP or mail server that supports TLS encryption.

Since the protocol TLS is universal and not tied to application-level protocols, the establishment of an encrypted connection for all services is identical and an error when sending a request to the wrong service can be detected only after the establishment of an encrypted session during processing. of the commands of the submitted request.

In consecuense, if, for example, redirect a user's connection, initially directed to HTTPS, to a mail server using a common certificate with the HTTPS server, the TLS connection will be successfully established, but the mail server will not be able to process the transmitted HTTP commands and will return a response with an error code. This response will be processed by the browser as a response from the requested site, transmitted within a properly established encrypted communication channel.

Three attack options are proposed:

  1. «Upload» to retrieve the Cookie with authentication parameters: The method is applicable if the FTP server covered by the TLS certificate allows you to download and retrieve your data. In this variant of the attack, an attacker can achieve the preservation of parts of the user's original HTTP request, such as the content of the Cookie header, for example, if the FTP server interprets the request as a file to save or registers it by full. incoming requests. For a successful attack, an attacker needs to somehow retrieve the stored content. The attack is applicable to Proftpd, Microsoft IIS, vsftpd, filezilla, and serv-u.
  2. Download for cross-site scripting (XSS): The method implies that an attacker, as a result of some independent manipulations, can put data into a service using a common TLS certificate, which can then be issued in response to a request from the user. The attack is applicable to the aforementioned FTP servers, IMAP servers and POP3 servers (courier, cyrus, kerio-connect and zimbra).
  3. Reflection to run JavaScript in the context of another site: The method is based on returning a part of the request to the client, which contains the JavaScript code sent by the attacker. The attack is applicable to the aforementioned FTP servers, the cyrus, kerio-connect and zimbra IMAP servers, as well as the sendmail SMTP server.

Eg when a user opens a page controlled by an attacker, a request for a resource can be initiated from a site where the user has an active account from this page. In a MITM attack, This request to the website can be redirected to a mail server that shares a TLS certificate.

Since the mail server does not log out after the first error, the service headers and commands will be processed as unknown commands.

The mail server does not parse the details of the HTTP protocol and for this the service headers and the data block of the POST request are processed in the same way, therefore in the body of the POST request you can specify a line with the command to the mail server.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.