New Attack Bypasses HTTP/2 Security for Arbitrary Cross-Site Scripting
New Attack Bypasses HTTP/2 Security for Arbitrary Cross-Site Scripting
cybersecuritynews.com
New Attack Bypasses HTTP/2 Security for Arbitrary Cross-Site Scripting
1 comments
-
Not going to downplay the vulnerability, but the key requirement for this attack is that both attacker and the victim domain must both be present in the SSL certificate's SAN entries. This is something that can happen, e.g. with some web hosters, but is probably pretty rare.