Off-path attacking the web

Yossi Gilad, Amir Herzberg

Research output: Contribution to conferencePaperpeer-review

28 Scopus citations

Abstract

We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server, and circumventing known defenses. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a victim client machine, and an attacker capable of IP-spoofing on the Internet. Our attacks are based on a technique that allows an off-path attacker to efficiently learn the sequence numbers of both the client and server in a TCP connection. This technique exploits the fact that many computers, in particular those running (any recent version of) Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. We also present practical defenses that can be deployed at the firewall level, either at the client or server end; no changes to existing TCP/IP stacks are required.

Original languageEnglish
StatePublished - 2012
Event6th USENIX Workshop on Offensive Technologies, WOOT 2012 - Bellvue, United States
Duration: 6 Aug 20127 Aug 2012

Conference

Conference6th USENIX Workshop on Offensive Technologies, WOOT 2012
Country/TerritoryUnited States
CityBellvue
Period6/08/127/08/12

Bibliographical note

Publisher Copyright:
© 2012 USENIX Association. All rights reserved.

Funding

Many thanks to Amit Klein, Daniele Perito and the anonymous referees for their invaluable comments. This work was supported by grant 206703 of the Israeli Science Foundation.

FundersFunder number
Israeli Science Foundation
Israel Science Foundation

    Fingerprint

    Dive into the research topics of 'Off-path attacking the web'. Together they form a unique fingerprint.

    Cite this