Papers
Topics
Authors
Recent
Search
2000 character limit reached

Forged-Origin Hijacks Explored

Updated 7 July 2026
  • Forged-origin hijacks are attacks where adversaries spoof provenance markers (e.g., AS origins, cookies, Kerberos tickets) to impersonate trusted entities.
  • They span multiple domains including BGP route hijacks, Android WebView abuses, TCP session manipulation, and even AI memory forgeries, exploiting trust-boundary failures.
  • Detection systems use methods such as machine learning classifiers and thresholding techniques, though adversaries can manipulate public data and legacy protocols to bypass defenses.

Forged-origin hijacks are attacks in which a malicious actor causes a system to accept a route, request, packet, resource, ticket, memory entry, or document value as if it originated from a legitimate source, origin, session, or prior trusted state. In the cited literature, the mechanism varies substantially: BGP forged-origin hijacks preserve an apparently authorized origin AS; Android WebView attacks emit authenticated requests under a logged-in user’s cookies; network operators race forged HTTP responses against legitimate server traffic; dangling cloud resources inherit a victim’s existing DNS mapping; forged Kerberos tickets appear to originate from the KDC or a legitimate service principal; forged reasoning traces appear to be the agent’s own prior rationale; and AI-inpainted document values preserve the appearance of authentic provenance (Giaconia et al., 27 Jul 2025, Bhavani, 2014, Nakibly et al., 2016, Frieß et al., 2024, Grippo et al., 2022, Karamchandani et al., 6 Jul 2026, Wu et al., 24 Feb 2026).

1. Concept and trust-boundary structure

The recurring structure is a trust-boundary failure. In Android WebView, “the site authenticates WebView and not the application” (Bhavani, 2014). In same-origin nested browsing contexts, CSP is enforced per document, while SOP is enforced per origin, allowing a less-protected same-origin page to undermine the intended guarantees of a more-protected page (Somé et al., 2016). In sourceURL-based measurement obfuscation, dynamically evaluated code can assign itself a forged script name, and browser developer tools, JavaScript stack traces, and related network attribution surfaces then report that attacker-chosen label rather than the underlying generation context (Bird, 2020).

This suggests that forged-origin hijacks are not limited to literal origin fields. A plausible implication is that any security mechanism that authenticates an exposed provenance marker—such as an origin AS, a cookie-bearing session, a DNS target name, a debugging label, a Kerberos signing context, or a remembered rationale—can be subverted if the marker can be replayed, spoofed, or structurally imitated. The cited works therefore span not a single protocol vulnerability but a family of attacks against provenance assumptions.

2. Inter-domain routing and the meaning of “origin”

In BGP, the most literal use of the term appears in route-origin security. A BGP item is represented as (prefix,AS path)(\text{prefix}, \text{AS path}), where the last AS in the AS path is the origin AS. Route Origin Authorization classifies announcements as Unknown, Valid, or Invalid, with validity defined by prefix coverage, maximum length, and equality between the BGP origin AS and the authorized AS in the ROA (Xu et al., 2019):

Valid    rROA: cover(r.p,p)  pr.maxLen  origin(p)=r.AS\text{Valid} \iff \exists r \in \text{ROA}:\ \text{cover}(r.p, p)\ \wedge\ |p| \le r.\text{maxLen}\ \wedge\ \text{origin}(p)=r.\text{AS}

A later line of work distinguishes Type-0 and Type-1 hijacks. In a Type-0 hijack, the attacker announces the victim’s prefix from its own AS, producing a clear origin mismatch. In a forged-origin hijack, or Type-1 hijack, the attacker announces the victim’s prefix but forges the AS path so that the victim AS appears as the origin. The route can therefore appear RPKI-compliant even though the attacker is the actual originator of the announcement (Giaconia et al., 27 Jul 2025).

The operational difficulty is that invalid does not necessarily mean hijack. On 16 May 2018, one measurement reported 635,412 Unknown items (90.87%), 58,931 Valid items (8.43%), and 4,949 Invalid items (0.71%). Among those invalid prefixes, the study identified six classes likely to be false alarms: Invalid load-balancing, Invalid failing to aggregate, Invalid multihoming, Invalid singlehoming, Invalid provider, and Invalid transfer. The conclusion was that more than 60% of invalid prefixes very likely result from traffic engineering, IP address transfer, and failing to aggregate rather than real hijackings (Xu et al., 2019). The long-lived character of many invalid (prefix, origin AS) pairs further supports the claim that a large fraction are operational artifacts rather than attacks.

Recent forged-origin hijack detection systems introduce a second layer of vulnerability: poisoning the public data on which they rely. The detector DFOH identifies new AS links and classifies them with a Random Forest using Topological, PeeringDB-based, AS-path-pattern, and Bidirectionality features, with reproduced feature-importance scores of 0.16, 0.23, 0.59, and 0.02, respectively (Giaconia et al., 27 Jul 2025). BEAM instead computes a path-difference score over AS embeddings and flags anomalies when the score exceeds a learned dynamic threshold. Large-scale simulation shows that these monitor-based systems can themselves be manipulated: more than 100 attacker ASes were able to hijack over 80% of all other ASes after poisoning DFOH, and approximately 15% of attackers needed zero additional links, 14% needed one extra link, and 28% needed two extra links. For BEAM, 10 distinct polluting announcements were enough for most attackers to raise the threshold by about 5% and gain the ability to hijack an additional 10% of prefixes without detection (Giaconia et al., 27 Jul 2025). The resulting lesson is that public BGP data is not merely incomplete; it is also adversarially editable.

3. Web, browser, and application-layer origin confusion

In Android, WebView can become a CSRF/XSRF launchpad when a third-party application embeds a trusted website and the user is already authenticated. The central condition is that the trusted site authenticates the WebView session, not the Android application identity. A malicious app with android.permission.INTERNET can therefore issue requests on behalf of the user by using WebView.loadUrl, WebView.loadData, WebView.postUrl, or by extracting cookies through CookieManager.getCookie(url) and replaying them with httpPost.setHeader("Cookie", cookie) (Bhavani, 2014). The demonstrated effects include post topics, send private messages, submit content, and more generally perform actions as the logged-in user. The attack is described as easy to execute but difficult to detect and prevent (Bhavani, 2014).

A related same-origin phenomenon appears in the interaction between CSP and SOP. In a crawl of 1,090,226 pages from 9,885 sites, 21,961 pages had CSP (2.00%), and among pages with CSP in enforcement mode (18,035 pages), 5,604 pages31.1%—could potentially suffer CSP violations due to same-origin pages, including 4,381 cases where a same-origin page had no CSP and 1,223 where it had a different CSP. For direct same-origin parent-iframe pairs, 169 of 720 couples yielded violations, or 23.5%. When document.domain relaxation is considered, the study reports 1,672 violations out of 1,781 couples, or 94%, and overall 12,899 pages, or 72% of CSP-enabled pages, were potentially vulnerable in the wider site context (Somé et al., 2016). The mechanism is not classic cross-origin theft; rather, a weaker same-origin context becomes a bridge that violates the intended guarantees of a stricter context.

Origin forgery also appears in browser measurement surfaces. In a February 2020 crawl of the Alexa top 100k using OpenWPM and fingerprinting heuristics, the instrumentation found 3,134 fingerprinting scripts, from 2,203 fingerprinting script domains, on 5,106 visited domains. The researchers observed suspicious script_url values such as '', (program):2, dna.min.js, and dna-persist.min.js, and traced the cause to sourceURL. Because sourceURL can label dynamically evaluated code, developer tools and measurement systems that rely on the same JavaScript stack and network stack information can attribute execution to a forged script name rather than the real network origin (Bird, 2020). Firefox 78 added the preference javascript.options.source_pragmas, which can be set to false to disable both sourceURL and sourceMappingURL; Chromium remained affected, while Safari appeared not to suffer from the problem in the tested scenario (Bird, 2020).

4. Forged packets, raced responses, and TCP-session impersonation

Website-targeted false content injection shows forged-origin hijacks at the packet level. In that setting, a network operator observing HTTP over port 80 injects a forged TCP segment or HTTP response into a live connection out-of-band, without dropping the legitimate packet. The client may therefore receive two packets with the same TCP sequence numbers but different payloads, and because TCP accepts the first data received for a sequence number, the attack reduces to a race (Nakibly et al., 2016). The race-detection algorithm uses a bound of MaxIntervalTime=200msecMaxIntervalTime = 200msec, overlapping TCP sequence space, and differing overlapped payload. Empirically, the legitimate packet arrived first in only 32% of events. The study monitored more than 75,000 users, 1.4 petabits of traffic, 129 million HTTP sessions, and servers with more than 1.5 million distinct IP addresses, identifying around 400 injection events grouped into 14 injection groups (Nakibly et al., 2016).

The injected content ranged from advertising to malware. One representative case replaced a legitimate 200 OK JavaScript response from cnzz.com with a forged 302 Found redirect to http://adcpc.899j.com/[google](https://www.emergentmind.com/topics/service-weaver-google)/google.js, which then routed the browser through affiliate ad networks (Nakibly et al., 2016). The best defense was HTTPS. For residual HTTP traffic, the proposed client-side mitigation delayed suspicious packets by 200 ms; a naive version incurred about 120% load-time increase, while an improved version based on TTL and IP ID anomalies delayed only suspicious packets and achieved about 12% load-time increase with 0.3% false negatives (Nakibly et al., 2016).

A distinct but related mechanism arises in off-path TCP hijacking against Linux 4.18+ using mixed IPID assignment. There, an attacker who cannot eavesdrop but can spoof packets first downgrades TCP IPID handling from the secure per-socket-based policy to the weaker hash-based policy by sending a forged ICMP Fragmentation Needed message. Because the hash-based scheme uses one of 2048 shared counters, the attacker can build a side channel, detect TCP connections, infer sequence and acknowledgment numbers, and then either reset the connection or inject forged data (Feng et al., 2020). The paper reports that the attack can be constructed within 215 seconds and that the success rate is over 88%. It also reports 22,953 websites vulnerable to the forged ICMP-based downgrade, average SSH DoS times around 155 seconds, web-traffic manipulation in 206.6 seconds on average, and BGP table poisoning in 214.3 seconds on average (Feng et al., 2020). Here, the forged-origin property lies in the acceptance of attacker-generated TCP segments as though they came from the legitimate peer.

5. Resource, certificate, and ticket provenance

Dangling cloud resources produce a form of origin-impersonation hijacking in which a released cloud resource remains referenced by a DNS record. The attack chain is explicit: a legitimate organization maps its domain or subdomain to a cloud resource, later deletes the resource but forgets to remove the DNS record, and an attacker then re-registers the same resource name. Because traffic still resolves through the victim’s DNS record, the attacker now serves content under the victim’s existing domain name or subdomain (Frieß et al., 2024). The study reports 20,904 instances of hijacked resources and 17,698 unique abused FQDNs. Some hijacks lasted up to 15 days, more than one-third persisted for over 65 days, and some lasted more than a year (Frieß et al., 2024).

The work materially revised earlier assumptions about what attackers target. The most abused resource types were largely CNAME-addressable, freetext-named resources, including Azure Web Application: 8,347 abuses, AWS S3: 5,876, Azure Traffic Manager: 2,980, Azure Cloud Service: 1,060, and Azure VM: 983. By contrast, the study found no real-life IP address takeovers in the abuse dataset, and it noted the absence of abused Google Cloud-hosted domains, attributing that to random subdomain assignment (Frieß et al., 2024). The dominant abuse was blackhat SEO, accounting for 75% of HTML samples. The scope included 31% of Fortune 500 companies, 25.4% of Global 500 companies, 8,432 popular Tranco-listed websites, and 264 abused university subdomains globally (Frieß et al., 2024). In these cases, the attacker inherits the reputation and trust chain of the victim domain rather than merely hosting unrelated malicious content.

In Active Directory, forged Kerberos tickets similarly hijack the appearance of legitimate authentication. A Silver Ticket is a forged TGS/service ticket encrypted with a service account hash, and a Golden Ticket is a forged TGT/ticket-granting ticket protected with the krbtgt secret. Once injected into the local Kerberos cache using Pass-the-Ticket (/ptt), such tickets allow unauthorized access that can look normal at the service side (Grippo et al., 2022). Detection relies on Windows Security Event Logs and centralized correlation. The key signal for Golden Tickets is a 4769 event without a corresponding preceding 4768 event on the domain controller. Another major indicator is ticket lifetime: legitimate Kerberos tickets use the default MaxTicketAge = 10 hours, whereas Mimikatz-forged tickets are described with a default lifetime of 10 days, and the example Golden Ticket in the study runs from 4/10/2022 9:34:02 AM to 4/7/2032 9:34:02 AM (Grippo et al., 2022). Silver Tickets are harder to detect because they do not involve the DC, and service-side logs may appear normal when the attacker impersonates an existing account (Grippo et al., 2022).

6. AI-era provenance hijacks in agent memory and document forensics

Persistent-memory agents introduce a new target: the agent’s memory of its own prior reasoning. The Forged Amplifying Rationale Memory Attack (FARMA) poisons the reasoning store rather than factual memory. Seed entries use evasive vocabulary such as “source-level validation complete,” “verified upstream,” and “re-validation is unnecessary,” while matching the agent’s own decision-log format and even spoofing metadata such as source = agent and trust = verified. Later entries amplify the attack by citing earlier forged entries as precedent, turning them into an apparent consensus (Karamchandani et al., 6 Jul 2026). The defense pipeline SENTINEL applies five layers, with the central Reasoning Guard computing

F=i=15wisi,iwi=1F = \sum_{i=1}^{5} w_i s_i,\quad \sum_i w_i = 1

using default weights wi=0.2w_i = 0.2, and rejecting entries when F>τguardF > \tau_{guard}, with τguard=0.5\tau_{guard} = 0.5 in evaluation (Karamchandani et al., 6 Jul 2026). Across 50 trials, FARMA achieved an attack success rate of up to 100% under baseline conditions and defeated defenses such as the keyword filter and A-MemGuard. SENTINEL reduced FARMA’s attack success rate to 0% in EHR, 6% in ReAct-QA, and 0% in RAP, with 0 false positives observed across 326 benign agent traces (Karamchandani et al., 6 Jul 2026). The attack therefore forges not external evidence but the agent’s own remembered precedent.

Document forensics shows a visually analogous problem. AIForge-Doc is the first dedicated benchmark for diffusion-model-based inpainting in financial and form documents with pixel-level annotation, containing 4,061 forged images drawn from CORD, WildReceipt, SROIE, and XFUND across nine languages (Wu et al., 24 Feb 2026). The generation pipeline selects a numeric field, mutates the value, constructs a context window, performs AI inpainting with Gemini 2.5 Flash Image or Ideogram v2 Edit, and pastes back only the exact field bbox, producing pixel-level masks in DocTamper-compatible format (Wu et al., 24 Feb 2026). The threat is that the forged value remains statistically and visually embedded in otherwise authentic content, so the document still appears to come from a legitimate source while the critical numeric field has been rewritten.

Current detectors degrade sharply under this regime. On the AIForge-Doc test set, TruFor achieved AUC = 0.751 with IoU = 0.358, compared with AUC = 0.96 on NIST16; DocTamper achieved AUC = 0.563 with IoU = 0.020, compared with AUC = 0.98 and IoU = 0.71 in-distribution; and GPT-4o achieved AUC = 0.509, essentially at chance (Wu et al., 24 Feb 2026). This suggests that forged-origin hijacking is expanding from network and identity systems into provenance-sensitive AI pipelines, where authenticity can no longer be inferred from classic editing traces, surface keywords, or simple consensus assumptions.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Forged-Origin Hijacks.