webPromedium
Lab 378 — PulseBoard — Cache Poisoning XSS via Next.js Header Misclassification
hackadvisor
Task: Next.js 14.2.9 analytics dashboard behind Nginx, /insights page reflects User-Agent unsanitized but is dynamic (not cached). Solution: Send x-now-route-matches header to trick Next.js into treating the page as static/ISR, making Nginx cache the XSS-poisoned response served to all visitors including admin bot whose flag cookie is exfiltrated via /api/feedback.
$ ls tags/ techniques/
xssnginxadmin_botnextjscookie_exfiltrationweb_cache_poisoningcache_key_manipulationheader_misclassificationisr_bypassuser_agent_reflection
admin_bot_exploitationhoneypot_flag_identificationsame_origin_exfiltration_via_apicache_poisoning_via_header_misclassificationnextjs_x_now_route_matches_isr_bypassunsanitized_user_agent_reflection
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 248 — PulseBoard — Next.js Middleware Authorization Bypass— hackadvisor
- [web][Pro]Lab 36 — PulseBoard — Prototype Pollution to RCE via EJS— hackadvisor
- [web][Pro]Lab 326 — PulseBoard — NoSQL Injection in Authentication— hackadvisor
- [web][Pro]Lab 231 — PagePulse — XSS via Web Cache Poisoning— hackadvisor
- [web][Pro]Lab 389 — PulseBoard — SSTI in Custom Widget Template Builder— hackadvisor