"The injection is done by observing HTTP requests by means of eavesdropping on network traffic. When an interesting target is observed, another device, the shooter, is tipped to send a spoofed TCP packet... For the attack to succeed the packet injected by the shooter has to arrive at the target before the ‘real’ response of the webserver. By exploiting this speed difference or race condition, one can impersonate the webserver."
For the packet capture savvy, Fox-IT also published some pcaps which they have shared with CloudShark (link takes you to the CloudShark summary entry on the attack that links to the annotated pcaps) and made a quick video explaining how it works.
Link to Original Source