Recent research has uncovered critical vulnerabilities within the HTTP/2 protocol, enabling attackers to bypass established web security measures and execute arbitrary cross-site scripting (XSS) attacks on prominent websites. At the Network and Distributed System Security (NDSS) Symposium 2025, researchers from Tsinghua University introduced two novel attack vectors, termed CrossPUSH and CrossSXG, which exploit inherent weaknesses in HTTP/2 server push and Signed HTTP Exchange (SXG) mechanisms.
Understanding the Vulnerabilities
The core of these vulnerabilities lies in the disparity between how browsers define origin and how HTTP/2 defines authority. Browsers adhere to a strict same-origin policy (SOP), which restricts web pages from accessing resources across different domains unless they share the same scheme, host, and port. In contrast, HTTP/2 considers any domain listed in the SubjectAlternativeName (SAN) field of a TLS certificate as having the same authority. This inconsistency allows attackers to manipulate HTTP/2 headers to deliver malicious content that browsers mistakenly accept as originating from a trusted source.
Mechanics of CrossPUSH and CrossSXG Attacks
In CrossPUSH attacks, malicious servers exploit the `:authority` pseudo-header in HTTP/2 server push streams. By setting the `:authority` header to a domain listed in their shared certificate, attackers can push resources that browsers cache and later serve as if they were legitimate content from the victim domain. This method effectively injects malicious scripts into the victim’s web pages without direct interaction.
Similarly, CrossSXG attacks manipulate the `request-url` and `validity-url` headers in Signed HTTP Exchanges. By crafting these headers to falsely represent attacker-controlled content as originating from victim domains, browsers are deceived into executing malicious scripts under the guise of trusted sources.
Implications for Web Security
The discovery of these attack vectors has significant implications for web security. Large-scale testing revealed that 11 out of 14 major browsers, including Chrome and Edge, are vulnerable to at least one variant of these attacks. The threat extends beyond browsers to mobile applications, with popular apps like Instagram, WeChat, QQ Mail, Weibo, and TikTok all showing susceptibility.
The research also highlighted that vulnerable software libraries, particularly Chrome-Net, can expose applications to attacks even when they use secure WebKit implementations. This supply chain vulnerability indicates that security dependencies can cascade through multiple applications and platforms, amplifying the risk.
Exploitation Techniques
Attackers can acquire the shared certificates necessary for these attacks through various methods. Domain reselling operations allow attackers to register domains, issue shared certificates, and then sell the domains while retaining control over the certificates. Domain takeover techniques exploit dangling DNS records pointing to discontinued services, enabling certificate acquisition for victim domains.
Measurements revealed that over 11,741 domains in the Tranco Top 1M list had been resold within the attack window, while 4,919 dangling domains could be exploited for certificate acquisition. Notably, 829 of the top 1,000 websites share certificates with lower-ranked, potentially less secure domains, increasing their vulnerability to these attacks.
Mitigation Strategies
To mitigate these vulnerabilities, it is crucial to address the underlying inconsistencies between browser SOP and HTTP/2 authority definitions. Developers and system administrators should:
– Review and Update Certificate Practices: Ensure that TLS certificates are not shared across unrelated domains and regularly audit certificate usage to prevent unauthorized access.
– Implement Strict Content Security Policies (CSP): Define and enforce CSPs to restrict the sources from which scripts and other resources can be loaded, reducing the risk of malicious content execution.
– Enhance Input Validation and Output Encoding: Properly validate and sanitize all user inputs and outputs to prevent the injection of malicious scripts.
– Monitor and Patch Vulnerable Libraries: Regularly update and patch software libraries to address known vulnerabilities and reduce the attack surface.
Conclusion
The identification of CrossPUSH and CrossSXG attacks underscores the evolving nature of web security threats and the need for continuous vigilance. By understanding and addressing these vulnerabilities, developers and security professionals can better protect web applications and users from sophisticated cross-origin attacks.
