-
@ ch0k1
2025-05-29 08:33:16
New Attack Bypasses HTTP/2 Security for Arbitrary Cross-Site Scripting
https://cybersecuritynews.com/http-2-security-arbitrary-cross-site-scripting/
A critical vulnerability in HTTP/2 protocol implementations that allows attackers to bypass web security protections and execute arbitrary cross-site scripting (XSS) attacks against major websites.
At the Network and Distributed System Security (NDSS) Symposium 2025, Tsinghua University researchers presented their findings, which identify two new attack vectors dubbed “CrossPUSH” and “CrossSXG” that exploit fundamental weaknesses in HTTP/2 server push and Signed HTTP Exchange (SXG) mechanisms.
https://stacker.news/items/991784