About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Next.js and the corrupt middleware: the authorizing artifact- 1626

zhero___Posted 11 Months Ago
  • NextJS is a super popular React framework with a ton of extra functionality. In fact, this website is built on top of it. The author of this post was reviewing NextJS and found a way to circumvent the middleware, which is commonly used for authentication.
  • Within the framework, there is a check for recursive requests. For instance, if the middleware itself is making a request to the server. This is done by setting the x-middleware-request header with the path of the middleware being executed. For every piece of middleware it sees, a colon-delimited path is added. If the middleware has already been seen, then the code simply skips the middleware.
  • As it turns out, it's possible to specify this header yourself! So, if you know the path of the middleware you want to skip then adding x-middleware-subrequest: my_path skips the check. If this is used for authentication/authorization, then it's a horrible vulnerability. The path is somewhat guessable and the header can be used as a polyglot as well.
  • Initially, they found this in an old version of the package. Since that code had been removed, they assumed only older versions were affected. In reality, the code had been moved somewhere else. It's best to report vulnerabilities, even if they only affect older versions. You never know what you're missing about impact as a bug hunter.
  • Instead of needing to specify the path, it's super simple: middleware or src/middleware. With the changing of the path, it actually makes it easier. Additionally, there is a now a recursive check with a maximum of 5. So, middleware: just needs to be repeated 5 times now.
  • They used this exploit on a few bug bounty programs. One program was using the middleware as a rewrite rule. They knew this because of a header in the response. By using this vulnerability, they were able to visit the admin page. On another program, they used this as a cache poisoning DoS via forcing a 404 response by skipping the rewrite rules.
  • Overall, an excellent write up on the discovery and exploitation of a NextJS vulnerability. I learned a ton about the framework, exploitation, and proper disclosure from this. Great work!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed