About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Next.js, cache, and chains: the stale elixir- 1588

zhero_web_securityPosted 1 Year Ago
  • NextJS is a popular ReactJS framework that this website even uses. The function getStaticProps is used for prerendering a page for information already available in the build process. getServerSideProps transmits data at the time of the request based upon the provided data, making it dynamic. The former is cachable while the latter is not.
  • While doing some previous research, they noticed that there are many headers/URL parameters used by NextJs internals. These headers/parameters could be used to change some of the rendering and caching settings. To start with, they found the __nextDataReq=1 parameter would make this a data request. This means that data can be sent back instead of the HTML, using this flag.
  • At first glance, this doesn't matter, but it is a good primitive for cache poisoning. Adding the parameter above to a getServerSideProps call returns the JSON for the page instead. Assuming that URL parameters are not used in caching, this leads to the JSON being returned from the cache instead of the HTML.
  • Diving back into NextJS, they were curious about other ways to control the rendering process. The different routes return different cache-control headers based upon the type of the page. Using the x-now-route-matches can get these headers to change, resulting in unintentional data caching.
  • Crazily enough, the content-type of this page isn't application/json! It's text/html. If any data can be reflected in the page props response, it leads to XSS!
  • The end of the article goes through their bounty payouts. It's interesting that they reported this directly to the owners of NextJS and to many websites with bug bounty programs. To me, this feels weird because the crux of the issue is in NextJS, which paid out. Double dipping seems unfair to the programs. At the same time, if this deep research didn't result in large payouts, then they wouldn't be incentivized to do it. So, is this just the cost of securing the ecosystem or is this morally wrong? I'm not sure.
  • Great research and an awesome article on the internals of caching/NextJS. Followed on Twitter for sure!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed