Explore the frontier of HTTP/2 research in this Black Hat conference talk, uncovering implementation flaws and RFC imperfections that enable HTTP/2-exclusive desync attacks. Delve into case studies targeting high-profile websites powered by various servers, including Amazon's Application Load Balancer, WAFs, CDNs, and bespoke stacks by big tech. Learn about request smuggling via HTTP/2 downgrades, H2.TE Desync attacks, H2.X via Request Splitting, and ambiguous HTTP/2 requests. Discover potential attacks, including URL token hijacking, header hijacking, and cache poisoning via tunnelling. Examine the tooling situation and defense strategies against these vulnerabilities. Gain valuable insights into the security implications of HTTP/2 implementation and walk away with key takeaways to enhance your understanding of this protocol's potential risks.