Yossi Gilad
Amir Herzberg
ABSTRACT
We present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user of that cache to XSS, CSRF and phishing attacks.
In contrast to previous TCP-injection attacks, we assume neither vulnerabilities such as client-malware nor predictable choice of client port or IP-ID. We only exploit subtle details of HTTP and TCP specifications, and features of legitimate (and common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with popular websites are vulnerable. Our attack is modular, and its modules may improve other off-path attacks on TCP communication.
We present practical patches against the attack; however, the best defense is surely adoption of TLS, that ensures security even against the stronger Man-in-the-Middle attacker.
- Advanced Network Architecture Group. Spoofer Project. http://spoofer.csail.mit.edu/index.php, 2012.Google Scholar
- Alexa Web Information Company. Top Sites. http://www.alexa.com/topsites, 2012.Google Scholar
- S. Antonatos, P. Akritidis, V. T. Lam, and K. G. Anagnostakis. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. ACM Transactions on Information and System Security, 12(2):12:1--12:15, Dec. 2008. Google ScholarDigital Library
- F. Baker and P. Savola. Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice), Mar. 2004. Google ScholarDigital Library
- A. Barth. The Web Origin Concept. RFC 6454 (Proposed Standard), Dec. 2011.Google Scholar
- S. M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communication Review, 19(2):32--48, Apr. 1989. Google ScholarDigital Library
- S. M. Bellovin. A Look Back at "Security Problems in the TCP/IP Protocol Suite". In ACSAC, pages 229--249. IEEE Computer Society, 2004. Google ScholarDigital Library
- R. Beverly, A. Berger, Y. Hyun, and K. C. Claffy. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In A. Feldmann and L. Mathy, editors, Internet Measurement Conference, pages 356--369. ACM, 2009. Google ScholarDigital Library
- W. Eddy. TCP SYN Flooding Attacks and Common Mitigations. RFC 4987 (Informational), Aug. 2007.Google Scholar
- T. Ehrenkranz and J. Li. On the State of IP Spoofing Defense. ACM Transactions on Internet Technology (TOIT), 9(2):6:1--6:29, 2009. Google ScholarDigital Library
- P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which Employ IP Source Address Spoofing. RFC 2827, May 2000. Google ScholarDigital Library
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616 (Draft Standard), June 1999. Updated by RFCs 2817, 5785, 6266. Google ScholarDigital Library
- Y. Gilad and A. Herzberg. Off-Path Attacking the Web. In USENIX Workshop on Offensive Technologies, pages 41 -- 52, 2012. Google ScholarDigital Library
- F. Gont and S. Bellovin. Defending against Sequence Number Attacks. RFC 6528 (Proposed Standard), Feb. 2012.Google Scholar
- T. Jim, N. Swamy, and M. Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In C. L. Williamson, M. E. Zurko, P. F. Patel-Schneider, and P. J. Shenoy, editors, Proceedings of the 16th International Conference on World Wide Web, pages 601--610. ACM, 2007. Google ScholarDigital Library
- D. Kaminsky. Black Ops of TCP/IP. In Black Hat conference, Aug. 2011. http://dankaminsky.com/2011/08/05/bo2k11.Google Scholar
- T. Killalea. Recommended Internet Service Provider Security Services and Procedures. RFC 3013 (Best Current Practice), Nov. 2000. Google ScholarDigital Library
- A. Klein. Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics. White Paper, 2004.Google Scholar
- A. Klein. Web Cache Poisoning Attacks. In Encyclopedia of Cryptography and Security (2nd Ed.), pages 1373--1373. 2011.Google Scholar
- klm. Remote Blind TCP/IP Spoofing. Phrack magazine, 2007.Google Scholar
- M. Larsen and F. Gont. Recommendations for Transport-Protocol Port Randomization. RFC 6056 (Best Current Practice), Jan. 2011.Google Scholar
- J. Lemon. Resisting SYN Flood DoS Attacks with a SYN Cache. In S. J. Leffler, editor, BSDCon, pages 89--97. USENIX, 2002. Google ScholarDigital Library
- R. T. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical report, AT&T Bell Laboratories, Feb. 1985.Google Scholar
- Paul Petefish, Eric Sheridan, and Dave Wichers. Cross-Site Request Forgery Prevention Cheat Sheet. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet, 2011.Google Scholar
- J. Postel. Transmission Control Protocol. RFC 793 (Standard), Sept. 1981.Google Scholar
- Z. Qian and Z. M. Mao. Off-Path TCP Sequence Number Inference Attack. In IEEE Symposium on Security and Privacy, pages 347--361, 2012. Google ScholarDigital Library
- Z. Qian, Z. M. Mao, and Y. Xie. Collaborative TCP Sequence Number Inference Attack: How to Crack Sequence Number Under a Second. In Proceedings of ACM Conference on Computer and Communications Security, CCS '12, pages 593--604, New York, NY, USA, 2012. ACM. Google ScholarDigital Library
- J. Ruderman. Same Origin Policy for JavaScript.https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript, 2001.Google Scholar
- T. Shimomura and J. Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaw - by the Man Who Did It. Hyperion Press, 1st edition, 1995. Google ScholarDigital Library
- S. Stamm, B. Sterne, and G. Markham. Reining in the Web with Content Security Policy. In M. Rappa, P. Jones, J. Freire, and S. Chakrabarti, editors, Proceedings of the 19th International Conference on World Wide Web, pages 921--930. ACM, 2010. Google ScholarDigital Library
- The Open Web Application Security Project. Cache Poisoning. www.owasp.org/index.php/Cache_Poisoning, 2009.Google Scholar
- The Open Web Application Security Project. Cross-Site Request Forgery. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF), 2010.Google Scholar
- J. Touch. Defending TCP Against Spoofing Attacks. RFC 4953 (Informational), July 2007.Google Scholar
- P. Watson. Slipping in the Window: TCP Reset Attacks. Presented at CanSecWest, 2004.Google Scholar
- M. Zalewski. Strange Attractors and TCP/IP Sequence Number Analysis.http://lcamtuf.coredump.cx/newtcp/, 2001.Google Scholar
- M. Zalewski. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco, CA, USA, 1st edition, 2011. Google ScholarDigital Library
Index Terms
- When tolerance causes weakness: the case of injection-friendly browsers
Recommendations
Off-Path TCP Injection Attacks
We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data SecurityA cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
Comments