Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange
Black Hat USA 2025 · Day 1 · Briefings
Researchers from Tsinghua University discovered that HTTP/2 and HTTP/3 use a broader, certificate-based ("SAN-based") definition of origin that is more permissive than the URI-based same-origin policy enforced by browsers. By exploiting this gap through HTTP/2 Server Push and Signed HTTP Exchange (SXG), an off-path attacker who holds a certificate shared with a victim domain can inject malicious scripts, manipulate cookies, strip HSTS, and force malicious file downloads — without a man-in-the-middle position. Eleven top browsers and five default mobile browsers were found vulnerable; a real-world case against a Microsoft Windows Update subdomain was demonstrated. ---
AI review
The SAN-based origin mismatch between HTTP/2 and the browser SOP is a genuine protocol design gap that produces exploitable XSS, cookie manipulation, HSTS bypass, and file injection without an MITM position. The 796-day attack persistence window after DNS remediation and the victim-irrevocability finding elevate this from interesting research to a structural web security problem.