When tolerance causes weakness: the case of injection-friendly browsers

We present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user of that cache to XSS, CSRF and phishing attacks. In contrast to previous TCP-injection attacks, we assume neither vulnerabilities such as client-malware nor predictable choice of client port or IP-ID. We only exploit subtle details of HTTP and TCP specifications, and features of legitimate (and common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with popular websites are vulnerable. Our attack is modular, and its modules may improve other off-path attacks on TCP communication. We present practical patches against the attack; however, the best defense is surely adoption of TLS, that ensures security even against the stronger Man-in-the-Middle attacker.

[1]  Steven M. Bellovin,et al.  Defending against Sequence Number Attacks , 2012, RFC.

[2]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[3]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[4]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[5]  MadhuBabu Janjanam,et al.  WEB APPLICATION SECURITY - CROSS-SITE REQUEST FORGERY , 2013 .

[6]  Michal Zalewski The Tangled Web: A Guide to Securing Modern Web Applications , 2011 .

[7]  S. Bellovin Defending Against Sequence Number Attacks , 1996 .

[8]  Mike Shema Cross-Site Request Forgery , 2010 .

[9]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[10]  Joseph D. Touch,et al.  Defending TCP Against Spoofing Attacks , 2007, RFC.

[11]  Marcin Zalewski,et al.  Strange attractors and tcp/ip sequence number analysis , 2004 .

[12]  Wesley M. Eddy,et al.  TCP SYN Flooding Attacks and Common Mitigations , 2007, RFC.

[13]  Steven M. Bellovin,et al.  A look back at "security problems in the TCP/IP protocol suite , 2004, 20th Annual Computer Security Applications Conference.

[14]  Recommended Internet Service Provider Security Services and Procedures , 2000, RFC.

[15]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[16]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[17]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[18]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[19]  Technical Whitepaper,et al.  SLIPPING IN THE WINDOW: TCP RESET ATTACKS , 2003 .

[20]  Fernando Gont,et al.  Recommendations for Transport-Protocol Port Randomization , 2011, RFC.

[21]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[22]  Amir Herzberg,et al.  Off-Path Attacking the Web , 2012, WOOT.

[23]  Tsutomu Shimomura,et al.  Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaws - by the Man Who Did It , 1996 .

[24]  Amit Klein Web Cache Poisoning Attacks , 2011, Encyclopedia of Cryptography and Security.

[25]  Ace p. The Black Hat conference , 2010 .

[26]  Jun Li,et al.  On the state of IP spoofing defense , 2009, TOIT.

[27]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[28]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[29]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[30]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[31]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.