Security problems in the TCP/IP protocol suite
ACM SIGCOMM Computer Communication Review
Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaws - by the Man Who Did It
A technique for counting natted hosts
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
A Look Back at "Security Problems in the TCP/IP Protocol Suite"
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
ACM Transactions on Information and System Security (TISSEC)
On the state of IP spoofing defense
ACM Transactions on Internet Technology (TOIT)
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Timing is everything: the importance of history detection
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
The Tangled Web: A Guide to Securing Modern Web Applications
The Tangled Web: A Guide to Securing Modern Web Applications
Spying in the dark: TCP and tor traffic analysis
PETS'12 Proceedings of the 12th international conference on Privacy Enhancing Technologies
Collaborative TCP sequence number inference attack: how to crack sequence number under a second
Proceedings of the 2012 ACM conference on Computer and communications security
Fragmentation Considered Vulnerable
ACM Transactions on Information and System Security (TISSEC)
When tolerance causes weakness: the case of injection-friendly browsers
Proceedings of the 22nd international conference on World Wide Web
Hi-index | 0.00 |
We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server, and circumventing known defenses. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a victim client machine, and an attacker capable of IP-spoofing on the Internet. Our attacks are based on a technique that allows an off-path attacker to efficiently learn the sequence numbers of both the client and server in a TCP connection. This technique exploits the fact that many computers, in particular those running (any recent version of) Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. We also present practical defenses that can be deployed at the firewall level, either at the client or server end; no changes to existing TCP/IP stacks are required.