Man-in-the-Middle (On-Path) Attacks | AP Cybersecurity

AP Cybersecurity Topics › Man-in-the-Middle
Unit 3 • Topic 3.1 • Network Vulnerabilities and Attacks

Man-in-the-Middle (On-Path) Attacks Explained

A man-in-the-middle (on-path) attack places an adversary between two communicating parties so they can read or alter the traffic. On a local network, ARP spoofing is a common way to get there.

Contents

  1. How an on-path attack works
  2. Why encryption is the key defense
  3. Real-world example
  4. Key terms
  5. Match it up
  6. Check for Understanding
  7. FAQ
On-pathattacker sits in the middle
Reads / altersintercepted traffic
TLSdefeats reading the data
YouAttacker (on-path)Server
An on-path attacker relays traffic between two parties, reading or altering it.

How an on-path attack works

In a man-in-the-middle attack, the adversary positions themselves so all traffic between two parties passes through them. They can silently read it, or alter it before passing it along. On a LAN, ARP spoofing is the usual method: the attacker tricks both sides into sending traffic to the attacker's MAC.

Public or unsecured networks make this easier, which connects back to the public Wi-Fi risks in Unit 1.

Scenario

On an open network, an attacker captures a victim's unencrypted login as it passes through. What attack is this?

Reveal answer

A man-in-the-middle (on-path) attack. The attacker sits between the victim and the server and reads the unencrypted traffic in transit.

Exam tip

On-path attacks intercept traffic in transit. The defense that matters most is encryption (TLS): even if intercepted, the data is unreadable.

Why encryption is the key defense

Encryption does not stop an attacker from sitting on-path, but it makes the intercepted traffic useless: they capture ciphertext, not credentials. This is why HTTPS and VPNs matter on untrusted networks.

Other defenses reduce the chance of getting on-path in the first place: strong wireless security, network segmentation, and detecting ARP anomalies.

Scenario

A victim logs in over HTTPS while an attacker is on-path. What does the attacker see?

Reveal answer

Encrypted traffic only. The attacker can see that communication is happening but cannot read the login, because TLS encrypts it in transit.

Real-world example

On-path attacks on open Wi-Fi

Researchers routinely demonstrate intercepting unencrypted traffic on open networks by getting on-path, often via ARP spoofing on a shared LAN. Encryption is what keeps the captured data useless.

Encryption protects the data, not the positioning.

Key Terms

Man-in-the-middle An attacker positioned between two parties' traffic.
On-path Another name for a man-in-the-middle position.
ARP spoofing Common way to get on-path on a local network.
TLS Encryption that makes intercepted traffic unreadable.

Match It Up

Tap a term, then tap its definition. Correct pairs lock in green.
Term
Definition
All matched. Nice work.

Common Mistakes

!

Thinking encryption blocks the interception

Encryption does not stop on-path positioning; it makes the captured data unreadable.

!

Forgetting ARP spoofing enables it on a LAN

On a local network, ARP spoofing is the common path to a man-in-the-middle position.

!

Assuming only Wi-Fi is vulnerable

Wired LANs are also vulnerable via ARP spoofing.

!

Ignoring traffic alteration

On-path attackers can change traffic, not just read it.

Check for Understanding

Predict your answer before you tap. Click a choice to check it and read why.
Question 1
A man-in-the-middle attack succeeds when the attacker:
B. An on-path attacker positions themselves between two parties to read or alter traffic.
Question 2 Predict first
On a local network, which attack commonly sets up a man-in-the-middle position?
B. ARP spoofing forges replies so both parties send traffic through the attacker.
Question 3
Why does TLS encryption help against on-path attacks?
A. Encryption does not prevent interception but makes the captured data useless to the attacker.
Question 4 Predict first
Which statements are true? I. On-path attackers can alter traffic. II. Encryption stops interception entirely. III. Wired LANs can be vulnerable.
A. I and III are true. II is false: encryption protects the data, not the positioning.
Question 5
An attacker on an open network reads a victim's plaintext login in transit. This is a:
D. Reading traffic between two parties in transit is a man-in-the-middle (on-path) attack.
Question 6
Besides encryption, what reduces the chance of an on-path attack?
C. Strong wireless security and segmentation make it harder for an attacker to get on-path.

Frequently Asked Questions

An attack where the adversary positions themselves between two communicating parties so they can read or alter the traffic passing between them.
On a local network, ARP spoofing tricks both parties into routing traffic through the attacker, which is how the attacker gets on-path.
Encryption does not stop the attacker from intercepting traffic, but it makes the captured data unreadable, so they gain ciphertext rather than credentials.
← PreviousNetwork Attacks
Keep studying
All TopicsUnit 3 Study GuidePractice Questions

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]