Abstract
We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request forgery, and phishing attacks.
In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable.
We conclude this work with practical client- and server-end defenses against our attacks.
- Advanced Network Architecture Group. 2013. Spoofer project. http://spoofer.csail.mit.edu/summary.php.Google Scholar
- Alexa Web Information Company. 2013. Top sites. http://www.alexa.com/topsites.Google Scholar
- Antonatos, S., Akritidis, P., Lam, V. T., and Anagnostakis, K. G. 2008. Puppetnets: Misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12, 2, 12:1--12:15. Google ScholarDigital Library
- Baker, F. and Savola, P. 2004. Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice). Google ScholarDigital Library
- Barth, A. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard).Google Scholar
- Barth, A., Jackson, C., and Mitchell, J. C. 2008. Robust defenses for cross-site request forgery. In Proceedings of the ACM Conference on Computer and Communications Security. P. Ning, P. F. Syverson, and S. Jha Eds., ACM Press, New York, 75--88. Google ScholarDigital Library
- Bellovin, S. M. 1989. Security problems in the tcp/ip protocol suite. Comput. Comm. Rev. 19, 2, 32--48. Google ScholarDigital Library
- Bellovin, S. M. 2004. A look back at “security problems in the tcp/ip protocol suite”. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04). IEEE Computer Society, 229--249. Google ScholarDigital Library
- Bernstein, D. J. 1996. SYN cookies. http://cr.yp.to/syncookies.html.Google Scholar
- Beverly, R., Berger, A., Hyun, Y., and Claffy, K. C. 2009. Understanding the efficacy of deployed internet source address validation filtering. In Proceedings of the Internet Measurement Conference. A. Feldmann and L. Mathy Eds., ACM Press, New York, 356--369. Google ScholarDigital Library
- Browserscope. 2012. Browser comparison. http://www.browserscope.org.Google Scholar
- Eddy, W. 2007. TCP syn flooding attacks and common mitigations. RFC 4987 (Informational).Google Scholar
- Ehrenkranz, T. and Li, J. 2009. On the state of ip spoofing defense. ACM Trans. Internet Technol. 9, 2, 6:1--6:29. Google ScholarDigital Library
- Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704. Google ScholarDigital Library
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. Hypertext transfer protocol -- Http/1.1. RFC 2616 (Draft Standard). Google ScholarDigital Library
- Gilad, Y. and Herzberg, A. 2012. Off-path attacking the web. In Proceedings of the USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA, 41--52. Google ScholarDigital Library
- Gilad, Y. and Herzberg, A. 2013a. Puppet code (java script). http://u.cs.biu.ac.il/_herzbea/security/code/puppet-example.js.Google Scholar
- Gilad, Y. and Herzberg, A. 2013b. When tolerance becomes weakness: The case of injection-friendly browsers. In Proceedings of the International World Wide Web Conference. Google ScholarDigital Library
- Gilad, Y., Herzberg, A., and Shulman, H. 2014. Off-path hacking: The illusion of challenge-response authentication. IEEE Secur. Privacy Mag. PP, 99.Google Scholar
- Gont, F. and Bellovin, S. 2012. Defending against sequence number attacks. RFC 6528 (Proposed Standard).Google Scholar
- Herzberg, A. and Jbara, A. 2008. Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technol. 8, 4, 16:1--16:36. Google ScholarDigital Library
- Herzberg, A. and Shulman, H. 2012. Security of patched dns. In ESORICS, S. Foresti, M. Yung, and F. Martinelli Eds., Lecture Notes in Computer Science, vol. 7459, Springer, 271--288.Google Scholar
- Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International Conference on World Wide Web. C. L. Williamson, M. E. Zurko, P. F. Patel-Schneider, and P. J. Shenoy Eds., ACM Press, New York, 601--610. Google ScholarDigital Library
- Joncheray, L. 1995. A simple active attack against tcp. In Proceedings of the 5th Symposium on UNIX Security. USENIX Association, Berkeley, CA, 7--20. Google ScholarDigital Library
- Kaminsky, D. 2011. Black ops of tcp/ip. In Black Hat Conference.Google Scholar
- Killalea, T. 2000. Recommended internet service provider security services and procedures. RFC 3013 (Best Current Practice). Google ScholarDigital Library
- Klein, A. 2004. Divide and conquer. HTTP response splitting, web cache poisoning attacks and related topics. Sanctum white paper.Google Scholar
- Klein, A. 2005. DOM based cross site scripting or xss of the third kind. Tech. rep., Web Application Security Consortium: Articles.Google Scholar
- Klein, A. 2011. Web cache poisoning attacks. In Encyclopedia of Cryptography and Security 2nd Ed. Springer, 1373--1373.Google Scholar
- KLM. 2007. Remote blind tcp/ip spoofing. Phrack Mag.Google Scholar
- Larsen, M. and Gont, F. 2011. Recommendations for transport-protocol port randomization. RFC 6056 (Best Current Practice). http://tools.ietf.org/html/rfc6056.Google Scholar
- Lemon, J. 2002. Resisting syn flood dos attacks with a syn cache. In Proceedings of the Conference on File and Storage Technologies (BSDCon’02). S. J. Leffler Ed., USENIX Association, Berkeley, CA, 89--97. Google ScholarDigital Library
- Marlinspike, M. 2009. New tricks for defeating ssl in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf.Google Scholar
- Morris, R. T. 1985. A weakness in the 4.2bsd unix tcp/ip software. Tech. rep., AT&T Bell Laboratories.Google Scholar
- The Open Web Application Security Project. 2009. Cache poisoning. https://www.owasp.org/index.php/CachePoisoning.Google Scholar
- The Open Web Application Security Project. 2010. Cross-site request forgery. https://www.owasp.org/index.php/Cross-Site.Google Scholar
- Petefish, P., Sheridan, E., and Wichers, D. 2011. Cross-site request forgery (csrf) prevention cheat sheet. https://www.owasp.org/index.php/Cross-Site.Google Scholar
- Postel, J. 1981. Transmission control protocol. RFC 793 (Internet Standard). Updated by RFCs 1122, 3168, 6093, 6528. http://www.ietf.org/rfc/rfc793.txt.Google Scholar
- Qian, Z. and Mao, Z. M. 2012. Off-path tcp sequence number inference attack. In Proceedings of the IEEE Symposium on Security and Privacy. 347--361. Google ScholarDigital Library
- Qian, Z., Mao, Z. M., and Xie, Y. 2012. Collaborative tcp sequence number inference attack: How to crack sequence number under a second. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, New York, 593--604. Google ScholarDigital Library
- Ruderman, J. 2001. Same origin policy for javascript. https://developer.mozilla.org/En/Same.Google Scholar
- Sanfilippo, S. 1998. A new tcp scan method. http://seclists.org/bugtraq/1998/Dec/79.Google Scholar
- Shimomura, T. and Markoff, J. 1995. Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaws - by the Man Who Did It 1st Ed. Hyperion Press. Google ScholarDigital Library
- Stamm, S., Sterne, B., and Markham, G. 2010. Reining in the web with content security policy. In Proceedings of the International Conference on World Wide Web. M. Rappa, P. Jones, J. Freire, and S. Chakrabarti Eds., ACM Press, New York, 921--930. Google ScholarDigital Library
- Touch, J. 2007. Defending tcp against spoofing attacks. RFC 4953. http://tools.ietf.org/html/rfc4953.Google Scholar
- Watson, P. 2004. Slipping in the window: TCP reset attacks. http://bandwidthco.com/whitepapers/netforensics/tcpip/TCP%20Reset%20Attacks.pdf.Google Scholar
- Zalewski, M. 2001. Strange attractors and tcp/ip sequence number analysis. http://lcamtuf.coredump.cx/newtcp/.Google Scholar
- Zalewski, M. 2011. The Tangled Web: A Guide to Securing Modern Web Applications 1st Ed. No Starch Press, San Francisco, CA. Google ScholarDigital Library
Index Terms
- Off-Path TCP Injection Attacks
Recommendations
When tolerance causes weakness: the case of injection-friendly browsers
WWW '13: Proceedings of the 22nd international conference on World Wide WebWe present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data SecurityA cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
Comments