Hackers Exploit HTTP/2 Flaw to Launch Arbitrary Cross-Site Scripting Attacks

A groundbreaking study from Tsinghua University and Zhongguancun Laboratory has uncovered critical vulnerabilities in modern web infrastructure, revealing that HTTP/2 server push and Signed HTTP Exchange (SXG) features can be exploited to bypass the Same-Origin Policy (SOP)—a cornerstone of web security.

The SOP is designed to prevent malicious scripts on one website from accessing sensitive data on another, but researchers have found that recent changes in how browsers interpret “origin” versus “authority” have created dangerous loopholes.

Traditionally, browsers define an “origin” as a unique tuple of URI scheme, host, and port. However, HTTP/2 and HTTP/3 protocols allow any domain listed in the SubjectAlternativeName (SAN) field of a TLS certificate to be recognized as an “authority.”

This means that if a certificate is shared among multiple domains—often managed by different entities—any of those domains can be treated as the same authority by the browser when using HTTP/2 server push or SXG.

Attackers can exploit this by acquiring or hijacking a shared certificate and then pushing malicious resources that the browser will accept as legitimate, even if they originate from a different domain.

CrossPUSH and CrossSXG

The research introduces two powerful new attack techniques:

• CrossPUSH: Leveraging HTTP/2 server push, an attacker who controls a domain sharing a certificate with a victim site can push resources (like JavaScript files) to the browser, specifying the victim’s domain as the :authority pseudo-header.
• The browser, trusting the shared certificate, caches and later executes these resources in the security context of the victim site. This enables attacks such as cross-site scripting (XSS), cookie manipulation, and malicious file downloads. javascript// Example: Using Node.js HTTP/2 to set :authority stream.pushStream({ ':path': '/script.js', ':authority': 'victim.com' }, (err, pushStream) => { pushStream.respond({ ':status': 200, 'content-type': 'application/javascript' }); pushStream.end('alert(document.cookie);'); });
• CrossSXG: Using SXG, an attacker can sign web content as if it originated from any domain in the shared certificate’s SAN list by manipulating the request-url and validity-url headers.
• The browser validates the SXG using the shared certificate and then displays the attacker’s content as if it were from the victim site.
• This attack is even more potent because it works across caches and third-party distributors. textSXG Headers: request-url: https://victim.com/ validity-url: https://victim.com/validity cert-url: https://attacker.com/cert.cbor

Both attacks are “off-path,” meaning the attacker does not need to intercept network traffic; they only need to lure users to their site (e.g., via phishing or malicious iframes), making the threat highly scalable and practical.

Widespread Vulnerabilities and Exploitation

The study’s large-scale measurements reveal that these vulnerabilities are not theoretical—they affect a significant portion of the web ecosystem:

• Browser Exposure: 11 out of 14 major browsers, including Chrome and Edge, are vulnerable to at least one of the attacks.
• Many popular mobile apps (such as Instagram and WeChat) and browser libraries are also affected, especially on platforms where WebView inherits the default browser’s behavior.
• Website Exposure: Over 11,000 top-ranked domains have been resold within the typical attack window, and nearly 5,000 “dangling” domains (with misconfigured DNS) can be hijacked for certificate issuance.
• Alarmingly, 83% of the top 1,000 websites are included in shared certificates with lower-ranked, potentially less secure domains, dramatically expanding the attack surface.
• Attack Longevity: Due to domain validation reuse and certificate renewal policies, attackers can maintain control for up to 796 days, even after victims attempt to revoke compromised certificates.
• Features like the Add Grace Period (AGP) in domain registration can be abused to acquire certificates at minimal cost, and current revocation mechanisms often fail if the attacker retains any domain in the certificate’s SAN list.

Mitigation and Industry Response

Researchers propose several urgent mitigations:

• Browsers should strictly enforce authority checks, rejecting server pushes and SXGs where the authority does not match the connection origin.
• Certificate Authorities (CAs) should facilitate domain owners’ ability to remove their domains from shared certificates and improve validation procedures.
• Domain registrars and buyers should monitor Certificate Transparency logs to detect suspicious certificate sharing during domain transfers.

The team has responsibly disclosed these findings to major vendors, including Microsoft, Google, Huawei, and Baidu, prompting acknowledgment and initial mitigation efforts.

This research exposes a systemic flaw in the intersection of modern web protocols and certificate management, demonstrating that even sites with rigorous security practices can be compromised if they share certificates with less secure domains.

The industry is urged to act swiftly to close these loopholes before widespread exploitation occurs.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!