New HTTP/2 Bypass Allows Malicious Cross-Site Scripting Attacks

-

New research reveals two attack vectors that bypass web security and exploit fundamental flaws in HTTP/2 implementations

In a groundbreaking revelation at the Network and Distributed System Security (NDSS) Symposium 2025, researchers from Tsinghua University have uncovered a critical vulnerability in the HTTP/2 protocol that could allow attackers to bypass traditional web security protections and execute arbitrary cross-site scripting (XSS) attacks on major websites.

What’s the Vulnerability?

The vulnerability centers around two new attack techniques—dubbed "CrossPUSH" and "CrossSXG"—that exploit weaknesses in two key features of the HTTP/2 protocol: Server Push and Signed HTTP Exchanges (SXG).

These attacks allow malicious actors to bypass the Same-Origin Policy (SOP), a security mechanism designed to keep malicious scripts from accessing sensitive data across different domains. By taking advantage of shared TLS certificates and manipulating HTTP/2 authority headers, attackers can deliver malicious scripts to browsers that are mistakenly accepted as legitimate content from trusted, same-origin sites.

HTTP/2 Authority Confusion: The Root Cause

At the heart of the issue is a fundamental confusion between how browsers define “origin” versus how HTTP/2 defines “authority”.

  • Browsers define the "origin" based on a strict URI scheme/host/port tuple to enforce SOP.

  • HTTP/2, on the other hand, considers any domain listed in the SubjectAlternativeName (SAN) of a TLS certificate as having the same authority.

This discrepancy opens the door for attackers to bypass security by exploiting how browsers and HTTP/2 handle cross-origin content.



The Attack Methods

  1. CrossPUSH Attack
    In a CrossPUSH attack, malicious servers exploit the :authority pseudo-header in HTTP/2’s Server Push mechanism. By manipulating this header, attackers can push malicious content to a victim's browser, making it appear as if the content is coming from a trusted, same-origin site.

    Example: An attacker can set the :authority header to “victim.com” in an HTTP/2 push stream, and the browser will incorrectly cache the malicious content, thinking it’s from the legitimate site.

  2. CrossSXG Attack
    The CrossSXG attack targets Signed HTTP Exchanges (SXG), a mechanism designed to allow browsers to validate the authenticity of content. By manipulating the request-url and validity-url headers in SXGs, attackers can trick browsers into accepting attacker-controlled content as though it’s coming from the victim’s domain.

The Broader Impact: Browsers and Apps at Risk

The research found that 11 out of 14 major browsers, including Chrome and Edge, are vulnerable to at least one variant of these attacks. This poses a significant risk not only to websites but also to mobile applications, with popular platforms like Instagram, WeChat, QQ Mail, Weibo, and TikTok also affected.

Worryingly, the vulnerability extends beyond browsers. Applications built on vulnerable software libraries, such as Chrome-Net, are also exposed to these attacks, even if they use secure versions of WebKit.

Attackers Can Exploit the Vulnerability

One of the more alarming aspects of these attacks is the ease with which attackers can acquire the necessary shared certificates. The researchers found that:

  • Domain resellers can buy expired domains, issue shared certificates for them, and then sell the domains while retaining control of the certificates.

  • Domain takeover techniques can be used to exploit dangling DNS records pointing to unused services, which then allows attackers to acquire certificates for high-profile victim domains.

In fact, over 11,741 domains in the Tranco Top 1M list were found to be resold during the attack window, and 4,919 dangling domains could be exploited for certificate acquisition.

Even more concerning, 829 of the top 1,000 websites share certificates with less-secure, lower-ranked domains—creating potential entry points for attackers.

Fixes Are on the Way, But Vigilance Is Key

This vulnerability has garnered attention from major security vendors, including Huawei, Baidu, Microsoft, and Google, who have acknowledged the findings and are actively working on fixes.

To mitigate these attacks, the researchers recommend:

  • Enforcing consistent authority validation in browsers to prevent incorrect assumptions about the source of content.

  • Restricting shared certificates in Signed HTTP Exchanges to limit exposure.

  • Improving certificate management practices to ensure that only trusted entities can issue certificates for a given domain.

What Can You Do?

If you manage a website or an app, it’s critical to ensure that your HTTP/2 implementation and certificate management practices are up to date. The recommendations from the research highlight the need for more robust authority validation and better management of shared certificates across platforms. Regularly updating your security practices will be essential to prevent this kind of attack.

As the researchers note, this vulnerability is an important reminder of the complexities of modern web security—and why both browser vendors and web developers need to stay ahead of evolving threats.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those...
Read more