Want to run this Docker container locally?
docker run -d --name flag-red71 --restart always -p 9052:80 joshbeck2024/ctf-nextjs-deep-dive-flag-red71
Next.js Vulnerability Overview
- Core Issue: A flaw in the
Next.js middleware layer enables attackers to bypass security checks.
- In this lab, we will:
- Examine the lab infrastructure and hopefully get a feel for the purpose of middleware like this.
- Learn to detect this vulnerability
- False negatives are easy to miss if you don’t understand how this particular detection methodology should be implemented.
- Exploit to access the protected
/dashboard endpoint.
- Affected Versions:
- Next.js 15.x < 15.2.3
- Next.js 14.x < 14.2.25
- Next.js 13.x < 13.5.9
Register an account and log in. You’ll find that you can access the /bitcoin endpoint as an authenticated user, but the /dashboard endpoint is restricted.
/bitcoin is just a cool Bitcoin chart that tracks 7-day price history.
- The
/dashboard endpoint will redirect to the home page
$$
Analysis
$$
- You’ll need to click on the ‘Review Source Code’ link at the top.
The Topology:
- Your Kali Linux machine will be the client user, as shown in the graphic below.
- There is a reverse proxy in front of the actual
Next.js application server.
- The
Next.js application server is configured to trust specific data the proxy sends to it.
Step 1: The Proxy Receives the Information
