find vulnerabilities on the next.js?

c0re · 07.10.2022

Hi 2 all
There is a site designed with Next.js
I checked all parts of the site
Is it possible to find injection or XSS vulnerabilities on the site? :zns6:

In which parts of this framework is it found?

tnx

h0nus · 07.10.2022

Umh, i think you need to find where some data can be stored and comes from user's input.
(Cookies, URIs, forms and etc).
Usually JS librearies (if not under node js) only have DOM based XSSs.
Nowadays is really hard to find reflected / stored XSS in such libraries (like jQuery and friends), as they're up to date and there is a community updating / fixing it.
So TL;DR:
Most of those libraries can have DOM based XSS due to improper handling (not enough sanitizing / input handling), improper escapes, improper usage of vulnerable functions, unsafe calls and unsafe code usage and so more..
Classic reflected XSS can be found if the library is used in an unsafe manner, but that's due to developer's improper security knowledge , other than that, most vulns are DOM based.
Please correct me if i'm wrong.

berlin · 07.10.2022

Try burp suite (auto) for scanning

c0re · 08.10.2022

berlin сказал(а):

Try burp suite (auto) for scanning

Burp does not have the power to detect such vulnerabilities

h0nus сказал(а):

Umh, i think you need to find where some data can be stored and comes from user's input.
(Cookies, URIs, forms and etc).
Usually JS librearies (if not under node js) only have DOM based XSSs.
Nowadays is really hard to find reflected / stored XSS in such libraries (like jQuery and friends), as they're up to date and there is a community updating / fixing it.
So TL;DR:
Most of those libraries can have DOM based XSS due to improper handling (not enough sanitizing / input handling), improper escapes, improper usage of vulnerable functions, unsafe calls and unsafe code usage and so more..
Classic reflected XSS can be found if the library is used in an unsafe manner, but that's due to developer's improper security knowledge , other than that, most vulns are DOM based.
Please correct me if i'm wrong.

All entries are reviewed

I searched a lot to find a bug.

What other vulnerabilities can I find on it?
Can RCE be found?

xanterq · 29.10.2022

c0re сказал(а):

Burp does not have the power to detect such vulnerabilities

All entries are reviewed
I searched a lot to find a bug.
What other vulnerabilities can I find on it?
Can RCE be found?

I think no one can answer your question without knowing functionality of tested website (maybe you can provide some details). Regarding Next.js, identify library version and search for vulnerabilities specific to the version.

tenkam · 01.11.2022

xanterq сказал(а):

I think no one can answer your question without knowing functionality

As xanterq says, you haven't provided the level of detail nessisary for anyone to help you. You have to actually learn yourself how to look for vulnerabilities, which takes a lot of hard work. You shouldn't expext someone to be able to help with this kind of question.

hck · 10.11.2022

ффуф это канал

find vulnerabilities on the next.js?

c0re

RAM

h0nus

HDD-drive

berlin

RAID-массив

c0re

RAM

xanterq

CD-диск

tenkam

floppy-диск

hck

floppy-диск