Association for Computing Machinery
The authors present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user of that cache to XSS, CSRF and phishing attacks. In contrast to previous TCP-injection attacks, they assume neither vulnerabilities such as client-malware nor predictable choice of client port or IP-ID. They only exploit subtle details of HTTP and TCP specifications, and features of legitimate (and common) browser implementations.