{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:12:35Z","timestamp":1772039555619,"version":"3.50.1"},"reference-count":48,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2014,4,1]],"date-time":"2014-04-01T00:00:00Z","timestamp":1396310400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100003977","name":"Israel Science Foundation","doi-asserted-by":"publisher","award":["1354\/11"],"award-info":[{"award-number":["1354\/11"]}],"id":[{"id":"10.13039\/501100003977","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100021796","name":"Check Point Institute for Information Security","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100021796","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100006245","name":"Ministry of Science and Technology, Israel","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100006245","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2014,4]]},"abstract":"\n We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow\n Web-cache poisoning<\/jats:italic>\n with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to\n cross-site scripting<\/jats:italic>\n ,\n cross-site request forgery<\/jats:italic>\n , and\n phishing<\/jats:italic>\n attacks.\n <\/jats:p>\n In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable.<\/jats:p>\n We conclude this work with practical client- and server-end defenses against our attacks.<\/jats:p>","DOI":"10.1145\/2597173","type":"journal-article","created":{"date-parts":[[2014,5,7]],"date-time":"2014-05-07T12:48:53Z","timestamp":1399466933000},"page":"1-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":26,"title":["Off-Path TCP Injection Attacks"],"prefix":"10.1145","volume":"16","author":[{"given":"Yossi","family":"Gilad","sequence":"first","affiliation":[{"name":"Bar-Ilan University"}]},{"given":"Amir","family":"Herzberg","sequence":"additional","affiliation":[{"name":"Bar-Ilan University"}]}],"member":"320","published-online":{"date-parts":[[2014,4]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Advanced Network Architecture Group. 2013. Spoofer project. http:\/\/spoofer.csail.mit.edu\/summary.php. Advanced Network Architecture Group. 2013. Spoofer project. http:\/\/spoofer.csail.mit.edu\/summary.php."},{"key":"e_1_2_1_2_1","unstructured":"Alexa Web Information Company. 2013. Top sites. http:\/\/www.alexa.com\/topsites. Alexa Web Information Company. 2013. Top sites. http:\/\/www.alexa.com\/topsites."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455518.1455524"},{"key":"e_1_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Baker F. and Savola P. 2004. Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice). Baker F. and Savola P. 2004. Ingress Filtering for Multihomed Networks . RFC 3704 (Best Current Practice).","DOI":"10.17487\/rfc3704"},{"key":"e_1_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Barth A. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard). Barth A. 2011. The Web Origin Concept . RFC 6454 (Proposed Standard).","DOI":"10.17487\/rfc6454"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/378444.378449"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2004.3"},{"key":"e_1_2_1_9_1","unstructured":"Bernstein D. J. 1996. SYN cookies. http:\/\/cr.yp.to\/syncookies.html. Bernstein D. J. 1996. SYN cookies. http:\/\/cr.yp.to\/syncookies.html."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1644893.1644936"},{"key":"e_1_2_1_11_1","unstructured":"Browserscope. 2012. Browser comparison. http:\/\/www.browserscope.org. Browserscope. 2012. Browser comparison. http:\/\/www.browserscope.org."},{"key":"e_1_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Eddy W. 2007. TCP syn flooding attacks and common mitigations. RFC 4987 (Informational). Eddy W. 2007. TCP syn flooding attacks and common mitigations. RFC 4987 (Informational).","DOI":"10.17487\/rfc4987"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/1516539.1516541"},{"key":"e_1_2_1_14_1","doi-asserted-by":"crossref","unstructured":"Ferguson P. and Senie D. 2000. Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704. Ferguson P. and Senie D. 2000. Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704.","DOI":"10.17487\/rfc2827"},{"key":"e_1_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Fielding R. Gettys J. Mogul J. Frystyk H. Masinter L. Leach P. and Berners-Lee T. 1999. Hypertext transfer protocol -- Http\/1.1. RFC 2616 (Draft Standard). Fielding R. Gettys J. Mogul J. Frystyk H. Masinter L. Leach P. and Berners-Lee T. 1999. Hypertext transfer protocol -- Http\/1.1. RFC 2616 (Draft Standard).","DOI":"10.17487\/rfc2616"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the USENIX Workshop on Offensive Technologies. USENIX Association","author":"Gilad Y."},{"key":"e_1_2_1_17_1","unstructured":"Gilad Y. and Herzberg A. 2013a. Puppet code (java script). http:\/\/u.cs.biu.ac.il\/_herzbea\/security\/code\/puppet-example.js. Gilad Y. and Herzberg A. 2013a. Puppet code (java script). http:\/\/u.cs.biu.ac.il\/_herzbea\/security\/code\/puppet-example.js."},{"key":"e_1_2_1_18_1","volume-title":"Proceedings of the International World Wide Web Conference.","author":"Gilad Y."},{"key":"e_1_2_1_19_1","doi-asserted-by":"crossref","unstructured":"Gilad Y. Herzberg A. and Shulman H. 2014. Off-path hacking: The illusion of challenge-response authentication. IEEE Secur. Privacy Mag. PP 99. Gilad Y. Herzberg A. and Shulman H. 2014. Off-path hacking: The illusion of challenge-response authentication. IEEE Secur. Privacy Mag. PP 99.","DOI":"10.1109\/MSP.2013.130"},{"key":"e_1_2_1_20_1","doi-asserted-by":"crossref","unstructured":"Gont F. and Bellovin S. 2012. Defending against sequence number attacks. RFC 6528 (Proposed Standard). Gont F. and Bellovin S. 2012. Defending against sequence number attacks. RFC 6528 (Proposed Standard).","DOI":"10.17487\/rfc6528"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1391949.1391950"},{"key":"e_1_2_1_22_1","doi-asserted-by":"crossref","unstructured":"Herzberg A.\n and \n \n \n Shulman H\n \n \n . \n 2012\n . Security of patched dns. In ESORICS S. Foresti M. Yung and F. Martinelli Eds. Lecture Notes in Computer Science vol. \n 7459 Springer 271--288. Herzberg A. and Shulman H. 2012. Security of patched dns. In ESORICS S. Foresti M. Yung and F. Martinelli Eds. Lecture Notes in Computer Science vol. 7459 Springer 271--288.","DOI":"10.1007\/978-3-642-33167-1_16"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242654"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/1267591.1267593"},{"key":"e_1_2_1_25_1","volume-title":"Black Hat Conference.","author":"Kaminsky D.","year":"2011"},{"key":"e_1_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Killalea T. 2000. Recommended internet service provider security services and procedures. RFC 3013 (Best Current Practice). Killalea T. 2000. Recommended internet service provider security services and procedures. RFC 3013 (Best Current Practice).","DOI":"10.17487\/rfc3013"},{"key":"e_1_2_1_27_1","unstructured":"Klein A. 2004. Divide and conquer. HTTP response splitting web cache poisoning attacks and related topics. Sanctum white paper. Klein A. 2004. Divide and conquer. HTTP response splitting web cache poisoning attacks and related topics. Sanctum white paper."},{"key":"e_1_2_1_28_1","unstructured":"Klein A. 2005. DOM based cross site scripting or xss of the third kind. Tech. rep. Web Application Security Consortium: Articles. Klein A. 2005. DOM based cross site scripting or xss of the third kind. Tech. rep. Web Application Security Consortium: Articles."},{"key":"e_1_2_1_29_1","volume-title":"Encyclopedia of Cryptography and Security","author":"Klein A.","edition":"2"},{"key":"e_1_2_1_30_1","unstructured":"KLM. 2007. Remote blind tcp\/ip spoofing. Phrack Mag. KLM. 2007. Remote blind tcp\/ip spoofing. Phrack Mag."},{"key":"e_1_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Larsen M. and Gont F. 2011. Recommendations for transport-protocol port randomization. RFC 6056 (Best Current Practice). http:\/\/tools.ietf.org\/html\/rfc6056. Larsen M. and Gont F. 2011. Recommendations for transport-protocol port randomization. RFC 6056 (Best Current Practice). http:\/\/tools.ietf.org\/html\/rfc6056.","DOI":"10.17487\/rfc6056"},{"key":"e_1_2_1_32_1","volume-title":"Proceedings of the Conference on File and Storage Technologies (BSDCon\u201902)","author":"Lemon J.","year":"2002"},{"key":"e_1_2_1_33_1","unstructured":"Marlinspike M. 2009. New tricks for defeating ssl in practice. https:\/\/www.blackhat.com\/presentations\/bh-dc-09\/Marlinspike\/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf. Marlinspike M. 2009. New tricks for defeating ssl in practice. https:\/\/www.blackhat.com\/presentations\/bh-dc-09\/Marlinspike\/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf."},{"key":"e_1_2_1_34_1","unstructured":"Morris R. T. 1985. A weakness in the 4.2bsd unix tcp\/ip software. Tech. rep. AT&T Bell Laboratories. Morris R. T. 1985. A weakness in the 4.2bsd unix tcp\/ip software. Tech. rep. AT&T Bell Laboratories."},{"key":"e_1_2_1_35_1","unstructured":"The Open Web Application Security Project. 2009. Cache poisoning. https:\/\/www.owasp.org\/index.php\/CachePoisoning. The Open Web Application Security Project. 2009. Cache poisoning. https:\/\/www.owasp.org\/index.php\/CachePoisoning."},{"key":"e_1_2_1_36_1","unstructured":"The Open Web Application Security Project. 2010. Cross-site request forgery. https:\/\/www.owasp.org\/index.php\/Cross-Site. The Open Web Application Security Project. 2010. Cross-site request forgery. https:\/\/www.owasp.org\/index.php\/Cross-Site."},{"key":"e_1_2_1_37_1","unstructured":"Petefish P. Sheridan E. and Wichers D. 2011. Cross-site request forgery (csrf) prevention cheat sheet. https:\/\/www.owasp.org\/index.php\/Cross-Site. Petefish P. Sheridan E. and Wichers D. 2011. Cross-site request forgery (csrf) prevention cheat sheet. https:\/\/www.owasp.org\/index.php\/Cross-Site."},{"key":"e_1_2_1_38_1","unstructured":"Postel J. 1981. Transmission control protocol. RFC 793 (Internet Standard). Updated by RFCs 1122 3168 6093 6528. http:\/\/www.ietf.org\/rfc\/rfc793.txt. Postel J. 1981. Transmission control protocol. RFC 793 (Internet Standard). Updated by RFCs 1122 3168 6093 6528. http:\/\/www.ietf.org\/rfc\/rfc793.txt."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.29"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382258"},{"key":"e_1_2_1_41_1","unstructured":"Ruderman J. 2001. Same origin policy for javascript. https:\/\/developer.mozilla.org\/En\/Same. Ruderman J. 2001. Same origin policy for javascript. https:\/\/developer.mozilla.org\/En\/Same."},{"key":"e_1_2_1_42_1","unstructured":"Sanfilippo S. 1998. A new tcp scan method. http:\/\/seclists.org\/bugtraq\/1998\/Dec\/79. Sanfilippo S. 1998. A new tcp scan method. http:\/\/seclists.org\/bugtraq\/1998\/Dec\/79."},{"key":"e_1_2_1_43_1","volume-title":"Takedown: The Pursuit and Capture of Kevin Mitnick, America\u2019s Most Wanted Computer Outlaws - by the Man Who Did It","author":"Shimomura T.","year":"1995","edition":"1"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772784"},{"key":"e_1_2_1_45_1","doi-asserted-by":"crossref","unstructured":"Touch J. 2007. Defending tcp against spoofing attacks. RFC 4953. http:\/\/tools.ietf.org\/html\/rfc4953. Touch J. 2007. Defending tcp against spoofing attacks. RFC 4953. http:\/\/tools.ietf.org\/html\/rfc4953.","DOI":"10.17487\/rfc4953"},{"key":"e_1_2_1_46_1","unstructured":"Watson P. 2004. Slipping in the window: TCP reset attacks. http:\/\/bandwidthco.com\/whitepapers\/netforensics\/tcpip\/TCP%20Reset%20Attacks.pdf. Watson P. 2004. Slipping in the window: TCP reset attacks. http:\/\/bandwidthco.com\/whitepapers\/netforensics\/tcpip\/TCP%20Reset%20Attacks.pdf."},{"key":"e_1_2_1_47_1","unstructured":"Zalewski M. 2001. Strange attractors and tcp\/ip sequence number analysis. http:\/\/lcamtuf.coredump.cx\/newtcp\/. Zalewski M. 2001. Strange attractors and tcp\/ip sequence number analysis. http:\/\/lcamtuf.coredump.cx\/newtcp\/."},{"key":"e_1_2_1_48_1","unstructured":"Zalewski M. 2011. The Tangled Web: A Guide to Securing Modern Web Applications 1st Ed. No Starch Press San Francisco CA. Zalewski M. 2011. The Tangled Web: A Guide to Securing Modern Web Applications 1st Ed. No Starch Press San Francisco CA."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2597173","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2597173","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T08:09:58Z","timestamp":1750234198000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2597173"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,4]]},"references-count":48,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2014,4]]}},"alternative-id":["10.1145\/2597173"],"URL":"https:\/\/doi.org\/10.1145\/2597173","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014,4]]},"assertion":[{"value":"2013-07-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2014-04-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}