Hackers Are Abusing HTTP/2 for Arbitrary Cross-Site Scripting — Is Your Site at Risk?

| Posted on |

A groundbreaking discovery has shaken the foundations of web security, researchers from Tsinghua University and Zhongguancun Laboratory have uncovered critical vulnerabilities in the HTTP/2 protocol that allow attackers to bypass the Same-Origin Policy (SOP) and execute arbitrary cross-site scripting (XSS) attacks on even the most secure websites.

Presented at the Network and Distributed System Security (NDSS) Symposium 2025, the research reveals two newly identified attack vectors—CrossPUSH and CrossSXG—that exploit inherent flaws in HTTP/2’s server push and Signed HTTP Exchange (SXG) features.

 

What’s the Vulnerability?

At the core of this issue lies a discrepancy between how web browsers define “origin” versus how HTTP/2 defines “authority.”

Browsers adhere to a strict definition of origin as a combination of the URI scheme, host, and port.

HTTP/2, however, treats all domains listed in the SubjectAlternativeName (SAN) field of a shared TLS certificate as having the same authority.

This mismatch opens the door to cross-origin confusion, allowing attackers to serve malicious content from one domain and have it executed as if it came from another.

Attack Techniques: CrossPUSH and CrossSXG

1. CrossPUSH

This technique exploits HTTP/2 Server Push to insert malicious scripts into the browser’s cache by impersonating trusted domains.

An attacker using a shared TLS certificate can push harmful resources while setting the :authority header to the victim’s domain. When the victim visits the site later, the cached malicious file is served as if it came from the legitimate domain.

2. CrossSXG

Signed HTTP Exchanges (SXG) allow sites to pre-sign and deliver content through third parties. However, attackers can forge SXGs that look like they’re from a legitimate domain by manipulating request-url and validity-url headers as long as they share a certificate with the target site.

Widespread Browser Vulnerabilities

The scale of this vulnerability is massive:

11 out of 14 major browsers, including Chrome and Edge, are vulnerable.

 Popular mobile apps like Instagram, WeChat, QQ Mail, Weibo, and TikTok also inherit these weaknesses through shared browser libraries.

attack duration time

 Over 11,741 domains in the Tranco Top 1M have been resold within active attack windows.

 Nearly 4,919 dangling domains allow attackers to hijack unused DNS records for certificate acquisition.

829 of the top 1,000 websites share TLS certificates with lower-ranked domains dramatically expanding the potential attack surface.

Response and Mitigation Efforts 

The researchers have proposed four key mitigation strategies and are actively collaborating with browser vendors to address these critical flaws that undermine core web security principles relied upon by millions of users.

They have responsibly disclosed their findings to the impacted vendors, receiving formal acknowledgments from major tech companies, including Huawei, Baidu, and Microsoft.

What makes these vulnerabilities particularly alarming is their ability to bypass even well-configured HTTPS setups and strict Content Security Policies (CSP). Beyond basic XSS, the attacks open the door to deeper threats such as cookie theft, unauthorized file downloads, and full-scale cross-origin exploits affecting every domain tied to a compromised shared

Stay protected with TechSquad!

 

TechSquad Daniel

    sales hours

    • 8am - 5pm
    • Monday - Friday

    follow us on social media

    Facebook Twitter Instagram Youtube

    services

    quick links

    Contact us

    Mailing address

    • 2420 Bemiss Rd, STE C, Valdosta, GA 31602

    © 2013 / 2025 – TechSquad Inc. | Specializing in Computer Network Services, IT consulting, Data Back-up & disaster recovery, VoIP, and CCTV