pith. sign in

Off-Path Attacking the Web

1 Pith paper cite this work. Polarity classification is still indexing.

1 Pith paper citing it
abstract

We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

fields

cs.CR 1

years

2026 1

verdicts

UNVERDICTED 1

representative citing papers

One (Thread) Can Keep a (PRNG) Secret, but not Two

cs.CR · 2026-05-30 · unverdicted · novelty 7.0

A race-condition exploit recovers the internal state of XNU's PRNG for IPv6 fragment IDs, enabling off-path fragment spoofing on UDP and TCP protocols.

citing papers explorer

Showing 1 of 1 citing paper.

  • One (Thread) Can Keep a (PRNG) Secret, but not Two cs.CR · 2026-05-30 · unverdicted · none · ref 20 · internal anchor

    A race-condition exploit recovers the internal state of XNU's PRNG for IPv6 fragment IDs, enabling off-path fragment spoofing on UDP and TCP protocols.