FISA

New research reveals two attack vectors that bypass web security and exploit fundamental flaws in HTTP/2 implementations In a groundbreaking revelation at the Network and Distributed System Security (NDSS) Symposium 2025 , researchers from Tsinghua University have uncovered a critical vulnerability in the HTTP/2 protocol that could allow attackers to bypass traditional web security protections and execute arbitrary cross-site scripting (XSS) attacks on major websites. What’s the Vulnerability? The vulnerability centers around two new attack techniques—dubbed "CrossPUSH" and "CrossSXG" —that exploit weaknesses in two key features of the HTTP/2 protocol: Server Push and Signed HTTP Exchanges (SXG) . These attacks allow malicious actors to bypass the Same-Origin Policy (SOP) , a security mechanism designed to keep malicious scripts from accessing sensitive data across different domains. By taking advantage of shared TLS certificates and manipulating HTTP/2 au...