Cross-Origin Web Attacks via HTTP/2 Server Push and Signed HTTP Exchange

In this talk, we will introduce the security implications of HTTP/2 server push and signed HTTP exchange (SXG) on the Same-Origin Policy (SOP), a fundamental web security mechanism designed to prevent cross-origin attacks. We identify a vulnerability introduced by these features, where the traditional strict SOP origin based on URI is undermined by a more permissive HTTP/2 authority based on the SubjectAlternativeName (SAN) list in the TLS certificate. This relaxation of origin constraints, coupled with the prevalent use of shared certificates among unrelated domains, poses significant security risks, allowing attackers to bypass SOP protections.

We introduce two novel attack vectors, CrossPUSH and CrossSXG, which enable an off-path attacker to execute a wide range of cross-origin web attacks, including arbitrary cross-site scripting (XSS), cookie manipulation, and malicious file downloads, across all domains listed in a shared certificate. Our investigation reveals the practicality and prevalence of these threats, with our measurements uncovering vulnerabilities in widely-used web browsers such as Chrome and Edge, and notable websites including Microsoft.

We responsibly disclosed our findings to affected vendors and received acknowledgments from Huawei, Baidu, Microsoft, etc.

By:
Pinji Chen | Ph.D. Student, Tsinghua University
Jianjun Chen | Associate Professor, Tsinghua University
Qi Wang | Ph.D. Student, Tsinghua University
Mingming Zhang | Research Assistant, Tsinghua University
Haixin Duan | Professor, Tsinghua University

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/?#cross-origin-web-attacks-via-http2-server-push-and-signed-http-exchange-45150Black HatRead More