HackTricksNextJS
Reading time: 27 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Miundo ya Jumla ya Programu ya Next.js
Muundo wa Faili wa Kawaida
Mradi wa kawaida wa Next.js unafuata muundo maalum wa faili na saraka unaouwezesha vipengele vyake kama routing, API endpoints, na static asset management. Hapa ni mpangilio wa kawaida:
my-nextjs-app/
βββ node_modules/
βββ public/
β βββ images/
β β βββ logo.png
β βββ favicon.ico
βββ app/
β βββ api/
β β βββ hello/
β β βββ route.ts
β βββ layout.tsx
β βββ page.tsx
β βββ about/
β β βββ page.tsx
β βββ dashboard/
β β βββ layout.tsx
β β βββ page.tsx
β βββ components/
β β βββ Header.tsx
β β βββ Footer.tsx
β βββ styles/
β β βββ globals.css
β β βββ Home.module.css
β βββ utils/
β βββ api.ts
βββ .env.local
βββ next.config.js
βββ tsconfig.json
βββ package.json
βββ README.md
βββ yarn.lock / package-lock.json
Direktori na Faili za Msingi
- public/: Inahifadhi mali zisizo za mabadiliko kama images, fonti, na faili nyingine. Faili hapa zinapatikana kwenye root path (
/). - app/: Direktori kuu kwa pages, layouts, components, na API routes za application yako. Inatumia paradigmu ya App Router, ikiruhusu vipengele vya routing vya hali ya juu na mgawanyiko wa components za server-client.
- app/layout.tsx: Hutatua root layout kwa application yako, ikizunguka kurasa zote na kutoa elementi za UI zinazofanana kama headers, footers, na navigation bars.
- app/page.tsx: Inatumikia kama entry point kwa route ya mzizi
/, ikitoa ukurasa wa nyumbani. - app/[route]/page.tsx: Inasimamia static na dynamic routes. Kila folder ndani ya
app/inawakilisha sehemu ya route, napage.tsxndani ya folder hizo inalingana na component ya route. - app/api/: Ina API routes, ikikuruhusu kuunda serverless functions zinazoshughulikia HTTP requests. Routes hizi zinachukua nafasi ya jadi
pages/apidirectory. - app/components/: Ina components za React zinazoweza kutumika tena katika kurasa na layouts tofauti.
- app/styles/: Ina faili za global CSS na CSS Modules kwa styling inayolenga component.
- app/utils/: Inajumuisha utility functions, helper modules, na logic nyingine zisizo za UI ambazo zinaweza kushirikiwa katika application.
- .env.local: Inahifadhi environment variables maalum kwa mazingira ya local development. Variables hizi si kuingizwa kwenye version control.
- next.config.js: Inabinafsisha tabia ya Next.js, ikijumuisha webpack configurations, environment variables, na setting za usalama.
- tsconfig.json: Inaseti TypeScript settings za project, ikiruhusu type checking na vipengele vingine vya TypeScript.
- package.json: Inasimamia dependencies za project, scripts, na metadata.
- README.md: Inatoa documentation na taarifa kuhusu project, ikijumuisha maelekezo ya setup, mwongozo wa matumizi, na maelezo mengine muhimu.
- yarn.lock / package-lock.json: Hufunga dependencies za project kwa matoleo maalum, kuhakikisha installations zinazofanana katika mazingira tofauti.
Client-Side katika Next.js
File-Based Routing katika app Directory
app directory ni nguzo ya routing katika matoleo mapya ya Next.js. Inatumia filesystem kuainisha routes, ikifanya usimamizi wa route kuwa rahisi kuelewa na unaoweza kupanuka.
Kushughulikia Path ya Mzizi /
Muundo wa Faili:
my-nextjs-app/
βββ app/
β βββ layout.tsx
β βββ page.tsx
βββ public/
βββ next.config.js
βββ ...
Faili Muhimu:
app/page.tsx: Inashughulikia maombi kwa njia ya mzizi/.app/layout.tsx: Inabainisha layout ya programu, ikizunguka kurasa zote.
Utekelezaji:
tsxCopy code// app/page.tsx
export default function HomePage() {
return (
<div>
<h1>Welcome to the Home Page!</h1>
<p>This is the root route.</p>
</div>
);
}
Maelezo:
- Ufafanuzi wa ruta: Faili
page.tsxiliyoko moja kwa moja chini ya saraka yaappinalingana na ruta/. - Uwasilishaji: Komponenti hii huonyesha maudhui ya ukurasa wa nyumbani.
- Uunganishaji wa Layout: Komponenti ya
HomePageimezungushiwa nalayout.tsx, ambayo inaweza kujumuisha header, footer, na vipengele vingine vya kawaida.
Kushughulikia Njia Nyingine za Static
Mfano: Ruta /about
Muundo wa Faili:
arduinoCopy codemy-nextjs-app/
βββ app/
β βββ about/
β β βββ page.tsx
β βββ layout.tsx
β βββ page.tsx
βββ public/
βββ next.config.js
βββ ...
Utekelezaji:
// app/about/page.tsx
export default function AboutPage() {
return (
<div>
<h1>About Us</h1>
<p>Learn more about our mission and values.</p>
</div>
)
}
Maelezo:
- Ufafanuzi wa Route: The
page.tsxfile inside theaboutfolder corresponds to the/aboutroute. - Rendering: Component hii inaonyesha maudhui ya ukurasa wa about.
Routes Dinamiki
Routes dinamiki zinaruhusu kushughulikia njia zenye vipengele vinavyobadilika, kuruhusu applications kuonyesha maudhui kulingana na vigezo kama IDs, slugs, n.k.
Mfano: /posts/[id] Route
Muundo wa Faili:
arduinoCopy codemy-nextjs-app/
βββ app/
β βββ posts/
β β βββ [id]/
β β βββ page.tsx
β βββ layout.tsx
β βββ page.tsx
βββ public/
βββ next.config.js
βββ ...
Utekelezaji:
tsxCopy code// app/posts/[id]/page.tsx
import { useRouter } from 'next/navigation';
interface PostProps {
params: { id: string };
}
export default function PostPage({ params }: PostProps) {
const { id } = params;
// Fetch post data based on 'id'
return (
<div>
<h1>Post #{id}</h1>
<p>This is the content of post {id}.</p>
</div>
);
}
Maelezo:
- Segmenti ya Dynamic:
[id]inaonyesha segmenti inayobadilika katika ruta, ikishikilia parameter yaidkutoka kwa URL. - Kupata Vigezo:
paramsobject ina vigezo zinazobadilika, vinavyoweza kufikiwa ndani ya komponenti. - Upatanisho wa Njia: Njia yoyote inayolingana na
/posts/*, kama/posts/1,/posts/abc, n.k., itashughulikiwa na komponenti hii.
Ruta Zilizowekwa Ndani
Next.js inaunga mkono ruta zilizowekwa ndani, ikiruhusu muundo wa ruta wa kihierarkia unaoiga mpangilio wa saraka.
Mfano: Njia /dashboard/settings/profile
Muundo wa Faili:
arduinoCopy codemy-nextjs-app/
βββ app/
β βββ dashboard/
β β βββ settings/
β β β βββ profile/
β β β βββ page.tsx
β β βββ page.tsx
β βββ layout.tsx
β βββ page.tsx
βββ public/
βββ next.config.js
βββ ...
Utekelezaji:
tsxCopy code// app/dashboard/settings/profile/page.tsx
export default function ProfileSettingsPage() {
return (
<div>
<h1>Profile Settings</h1>
<p>Manage your profile information here.</p>
</div>
);
}
Maelezo:
- Uwekaji wa tabaka nyingi: Faili
page.tsxiliyoko ndani yadashboard/settings/profile/inalingana na route/dashboard/settings/profile. - Uakisi wa Hierarki: Muundo wa saraka unaakisi njia ya URL, ukiboresha urahisi wa matengenezo na uwazi.
Njia za kupokea yote
Njia za kupokea yote zinashughulikia sehemu nyingi zilizowekwa ndani au njia zisizojulikana, na kutoa unyumbufu katika kushughulikia njia.
Mfano: /* Njia
Muundo wa Faili:
my-nextjs-app/
βββ app/
β βββ [..slug]/
β β βββ page.tsx
β βββ layout.tsx
β βββ page.tsx
βββ public/
βββ next.config.js
βββ ...
Utekelezaji:
// app/[...slug]/page.tsx
interface CatchAllProps {
params: { slug: string[] }
}
export default function CatchAllPage({ params }: CatchAllProps) {
const { slug } = params
const fullPath = `/${slug.join("/")}`
return (
<div>
<h1>Catch-All Route</h1>
<p>You have navigated to: {fullPath}</p>
</div>
)
}
Maelezo:
- Catch-All Segment:
[...slug]inakamata sehemu zote za path zilizobaki kama array. - Matumizi: Inatumika kushughulikia routing ya dinamik kama paths zinazotengenezwa na watumiaji, makundi yaliyowekwa ndani (nested categories), n.k.
- Kufanana kwa Njia: Njia kama
/anything/here,/foo/bar/baz, n.k., zinasimamiwa na component hii.
Udhaifu za upande wa mteja
Wakati Next.js inatoa msingi salama, mbinu zisizofaa za kuandika code zinaweza kuleta udhaifu. Udhaifu muhimu upande wa mteja ni pamoja na:
Cross-Site Scripting (XSS)
Mashambulizi ya XSS hutokea wakati skripti zenye madhumuni mabaya zinaingizwa kwenye tovuti zinazoaminika. Washambuliaji wanaweza kuendesha skripti kwenye vivinjari vya watumiaji, kuiba data au kutekeleza vitendo kwa niaba ya mtumiaji.
Mfano wa Code yenye Udhaifu:
// Dangerous: Injecting user input directly into HTML
function Comment({ userInput }) {
return <div dangerouslySetInnerHTML={{ __html: userInput }} />
}
Kwa Nini Ni Hatari: Kutumia dangerouslySetInnerHTML na input isiyotegemewa kunaruhusu attackers kuingiza malicious scripts.
Client-Side Template Injection
Hutokea wakati inputs za watumiaji hazishughulikiwa ipasavyo katika templates, kuruhusu attackers kuingiza na kuendesha templates au expressions.
Mfano wa Code yenye Udhaifu:
import React from "react"
import ejs from "ejs"
function RenderTemplate({ template, data }) {
const html = ejs.render(template, data)
return <div dangerouslySetInnerHTML={{ __html: html }} />
}
Kwa Nini Ni Hatari: Ikiwa template au data inajumuisha yaliyomo hatarishi, inaweza kusababisha utekelezaji wa code isiyokusudiwa.
Client Path Traversal
Ni udhaifu unaowawezesha wadukuzi kurekebisha client-side paths ili kufanya vitendo visivyokusudiwa, kama vile Cross-Site Request Forgery (CSRF). Tofauti na server-side path traversal, ambayo inalenga filesystem ya server, CSPT inalenga kuchukua faida ya mechanisms za client-side ili kupitisha tena API requests halali kwa endpoints zenye madhumuni mabaya.
Mfano wa Vulnerable Code:
Programu ya Next.js inawawezesha watumiaji kupakia na kupakua files. Kipengele cha download kimefanywa upande wa client, ambapo watumiaji wanaweza kubainisha file path ya kupakua.
// pages/download.js
import { useState } from "react"
export default function DownloadPage() {
const [filePath, setFilePath] = useState("")
const handleDownload = () => {
fetch(`/api/files/${filePath}`)
.then((response) => response.blob())
.then((blob) => {
const url = window.URL.createObjectURL(blob)
const a = document.createElement("a")
a.href = url
a.download = filePath
a.click()
})
}
return (
<div>
<h1>Download File</h1>
<input
type="text"
value={filePath}
onChange={(e) => setFilePath(e.target.value)}
placeholder="Enter file path"
/>
<button onClick={handleDownload}>Download</button>
</div>
)
}
Senario ya Shambulio
- Lengo la Mshambuliaji: Fanya shambulio la CSRF ili kufuta faili muhimu (mfano,
admin/config.json) kwa kubadilishafilePath. - Kuitumia CSPT:
- Ingizo Mbaya: Mshambuliaji anaunda URL yenye
filePathiliyorekebishwa kama../deleteFile/config.json. - Kiito cha API kinachotokea: Msimbo upande wa mteja unafanya ombi kwa
/api/files/../deleteFile/config.json. - Ushughulikiaji wa Seva: Ikiwa seva haitathibitisha
filePath, itashughulikia ombi hilo, na inaweza kufuta au kufichua faili nyeti.
- Kutekeleza CSRF:
- Kiungo kilichotengenezwa: Mshambuliaji anamtumia mwathiriwa kiungo au kuingiza script hatari inayochochea ombi la kupakua lenye
filePathiliyorekebishwa. - Matokeo: Mwathiriwa kwa kutokujua anatekeleza kitendo hicho, na kusababisha upatikanaji au kufutwa kwa faili bila idhini.
Kwa Nini Ni Hatari
- Ukosefu wa Uthibitishaji wa Ingizo: Upande wa mteja unaruhusu ingizo lolote la
filePath, kuruhusu path traversal. - Kuamini Ingizo za Mteja: API upande wa seva inaamini na kushughulikia
filePathbila kusafisha. - Vitendo Vinavyowezekana vya API: Ikiwa endpoint ya API inafanya vitendo vinavyobadilisha hali (mfano, kufuta, kubadilisha faili), inaweza kutumika vibaya kupitia CSPT.
Upande wa Seva katika Next.js
Server-Side Rendering (SSR)
Kurasa zinatengenezwa kwenye seva kwa kila ombi, kuhakikisha kwamba mtumiaji anapokea HTML iliyokamilika. Katika kesi hii unapaswa kuunda seva yako ya desturi ili kushughulikia maombi.
Matumizi:
- Maudhui yanayobadilika mara kwa mara.
- Uboreshaji wa SEO, kwani injini za utafutaji zinaweza kukagua ukurasa uliotengenezwa kikamilifu.
Utekelezaji:
// pages/index.js
export async function getServerSideProps(context) {
const res = await fetch("https://api.example.com/data")
const data = await res.json()
return { props: { data } }
}
function HomePage({ data }) {
return <div>{data.title}</div>
}
export default HomePage
Uzalishaji wa Tovuti Zisizobadilika (SSG)
Kurasa zinatayarishwa mapema wakati wa kujenga, na kusababisha nyakati za kupakia haraka na kupungua kwa mzigo wa seva.
Matumizi:
- Maudhui ambayo hayabadiliki mara kwa mara.
- Blogu, nyaraka, kurasa za uuzaji.
Utekelezaji:
// pages/index.js
export async function getStaticProps() {
const res = await fetch("https://api.example.com/data")
const data = await res.json()
return { props: { data }, revalidate: 60 } // Revalidate every 60 seconds
}
function HomePage({ data }) {
return <div>{data.title}</div>
}
export default HomePage
Serverless Functions (API Routes)
Next.js inawezesha kuunda API endpoints kama serverless functions. Functions hizi zinaendesha kwa mahitaji (on-demand) bila hitaji la server maalum.
Use Cases:
- Kushughulikia uwasilishaji wa fomu.
- Kuingiliana na hifadhidata.
- Kuchakata data au kuunganisha na third-party APIs.
Implementation:
Kutokana na kuanzishwa kwa saraka ya app katika Next.js 13, routing na kushughulikia API vimekuwa vinavyofanya kazi kwa urahisi zaidi na vinavyokuwa na uwezo mkubwa zaidi. Mbinu hii ya kisasa inalingana kwa karibu na mfumo wa routing unaotegemea faili lakini inaleta uwezo ulioboreshwa, ikijumuisha msaada kwa components za server na client.
Basic Route Handler
File Structure:
my-nextjs-app/
βββ app/
β βββ api/
β βββ hello/
β βββ route.js
βββ package.json
βββ ...
Utekelezaji:
// app/api/hello/route.js
export async function POST(request) {
return new Response(JSON.stringify({ message: "Hello from App Router!" }), {
status: 200,
headers: { "Content-Type": "application/json" },
})
}
// Client-side fetch to access the API endpoint
fetch("/api/submit", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ name: "John Doe" }),
})
.then((res) => res.json())
.then((data) => console.log(data))
Maelezo:
- Location: API routes zipo chini ya saraka ya
app/api/. - File Naming: Kila endpoint ya API iko katika folda yake yenye faili
route.jsauroute.ts. - Functions Zilizotolewa: Badala ya default export moja, functions maalum za HTTP method (k.m.,
GET,POST) zinatolewa. - Response Handling: Tumia constructor ya
Responsekurudisha majibu, ambayo inaruhusu udhibiti zaidi wa headers na status codes.
Jinsi ya kushughulikia paths na methods zingine:
Kushughulikia HTTP Methods Maalum
Next.js 13+ inakuwezesha kufafanua handlers kwa HTTP methods maalum ndani ya faili ile ile ya route.js au route.ts, ikichangia msimbo ulio wazi zaidi na uliopangwa vizuri.
Mfano:
// app/api/users/[id]/route.js
export async function GET(request, { params }) {
const { id } = params
// Fetch user data based on 'id'
return new Response(JSON.stringify({ userId: id, name: "Jane Doe" }), {
status: 200,
headers: { "Content-Type": "application/json" },
})
}
export async function PUT(request, { params }) {
const { id } = params
// Update user data based on 'id'
return new Response(JSON.stringify({ message: `User ${id} updated.` }), {
status: 200,
headers: { "Content-Type": "application/json" },
})
}
export async function DELETE(request, { params }) {
const { id } = params
// Delete user based on 'id'
return new Response(JSON.stringify({ message: `User ${id} deleted.` }), {
status: 200,
headers: { "Content-Type": "application/json" },
})
}
Maelezo:
- Kuagiza Nyingi: Kila method ya HTTP (
GET,PUT,DELETE) ina function yake iliyotumwa. - Vigezo: Hoja ya pili inatoa ufikiaji wa vigezo vya njia kupitia
params. - Majibu Yaboreshewa: Udhibiti mkubwa juu ya vitu vya majibu, kuruhusu usimamizi sahihi wa headers na status codes.
Catch-All na Nested Routes
Next.js 13+ inaunga mkono sifa za routing za juu kama catch-all routes na nested API routes, ikiruhusu miundo ya API yenye nguvu zaidi na inayoweza kupanuka.
Mfano wa Catch-All Route:
// app/api/[...slug]/route.js
export async function GET(request, { params }) {
const { slug } = params
// Handle dynamic nested routes
return new Response(JSON.stringify({ slug }), {
status: 200,
headers: { "Content-Type": "application/json" },
})
}
Maelezo:
- Sintaksia:
[...]inaonyesha segmenti inayoshika yote, ikikamata njia zote zilizo ndani. - Matumizi: Inafaa kwa APIs zinazohitaji kushughulikia kina tofauti za njia au segmenti zinazobadilika.
Mfano wa Nested Routes:
// app/api/posts/[postId]/comments/[commentId]/route.js
export async function GET(request, { params }) {
const { postId, commentId } = params
// Fetch specific comment for a post
return new Response(
JSON.stringify({ postId, commentId, comment: "Great post!" }),
{
status: 200,
headers: { "Content-Type": "application/json" },
}
)
}
Maelezo:
- Uwekaji wa kina: Inaruhusu miundo ya API yenye ngazi, ikionyesha uhusiano wa rasilimali.
- Ufikiaji wa vigezo: Kupata kwa urahisi vigezo vingi vya route kupitia object ya
params.
Kusimamia API routes katika Next.js 12 na Matoleo ya awali
API Routes in the pages Directory (Next.js 12 and Earlier)
Kabla ya Next.js 13 kutambulisha directory ya app na kuongeza uwezo ulioboreshwa wa routing, API routes ziliainishwa hasa ndani ya directory ya pages. Mbinu hii bado inatumiwa sana na inasaidiwa katika Next.js 12 na matoleo ya awali.
API Route ya Msingi
Muundo wa Faili:
goCopy codemy-nextjs-app/
βββ pages/
β βββ api/
β βββ hello.js
βββ package.json
βββ ...
Utekelezaji:
javascriptCopy code// pages/api/hello.js
export default function handler(req, res) {
res.status(200).json({ message: 'Hello, World!' });
}
Maelezo:
- Location: API routes ziko chini ya saraka
pages/api/. - Export: Tumia
export defaultkufafanua kazi ya mshughulikiaji. - Function Signature: Mshughulikiaji hupokea vitu
req(maombi ya HTTP) nares(majibu ya HTTP). - Routing: Jina la faili (
hello.js) linaendana na endpoint/api/hello.
Routes za API Zinazobadilika
Muundo wa Faili:
bashCopy codemy-nextjs-app/
βββ pages/
β βββ api/
β βββ users/
β βββ [id].js
βββ package.json
βββ ...
Utekelezaji:
javascriptCopy code// pages/api/users/[id].js
export default function handler(req, res) {
const {
query: { id },
method,
} = req;
switch (method) {
case 'GET':
// Fetch user data based on 'id'
res.status(200).json({ userId: id, name: 'John Doe' });
break;
case 'PUT':
// Update user data based on 'id'
res.status(200).json({ message: `User ${id} updated.` });
break;
case 'DELETE':
// Delete user based on 'id'
res.status(200).json({ message: `User ${id} deleted.` });
break;
default:
res.setHeader('Allow', ['GET', 'PUT', 'DELETE']);
res.status(405).end(`Method ${method} Not Allowed`);
}
}
Maelezo:
- Segimenti Dinamiki: Mabano ya mraba (
[id].js) yanaonyesha segimenti za route zinazobadilika. - Kupata Vigezo: Tumia
req.query.idkupata parameter ya dinamiki. - Kushughulikia Mbinu: Tumia mantiki ya masharti kushughulikia mbinu tofauti za HTTP (
GET,PUT,DELETE, nk).
Kushughulikia Mbinu Tofauti za HTTP
Wakati mfano wa msingi wa API route unashughulikia mbinu zote za HTTP ndani ya kazi moja, unaweza kuandaa msimbo wako kushughulikia kila mbinu waziwazi kwa uwazi zaidi na urahisi wa matengenezo.
Mfano:
javascriptCopy code// pages/api/posts.js
export default async function handler(req, res) {
const { method } = req;
switch (method) {
case 'GET':
// Handle GET request
res.status(200).json({ message: 'Fetching posts.' });
break;
case 'POST':
// Handle POST request
res.status(201).json({ message: 'Post created.' });
break;
default:
res.setHeader('Allow', ['GET', 'POST']);
res.status(405).end(`Method ${method} Not Allowed`);
}
}
Mazoea Bora:
- Separation of Concerns: Tenganisha wazi mantiki kwa ajili ya HTTP methods tofauti.
- Response Consistency: Hakikisha muundo wa majibu ni thabiti ili kurahisisha kushughulikia upande wa client.
- Error Handling: Shughulikia kwa uangalifu methods zisizoungwa mkono na makosa yasiyotegemewa.
Usanidi wa CORS
Dhibiti origins zinazoweza kufikia API routes zako, kupunguza Cross-Origin Resource Sharing (CORS) vulnerabilities.
Mfano wa Usanidi Mbaya:
// app/api/data/route.js
export async function GET(request) {
return new Response(JSON.stringify({ data: "Public Data" }), {
status: 200,
headers: {
"Access-Control-Allow-Origin": "*", // Allows any origin
"Access-Control-Allow-Methods": "GET, POST, PUT, DELETE",
},
})
}
Kumbuka kwamba CORS pia inaweza kusanidiwa katika routes zote za API ndani ya faili ya middleware.ts:
// app/middleware.ts
import { NextResponse } from "next/server"
import type { NextRequest } from "next/server"
export function middleware(request: NextRequest) {
const allowedOrigins = [
"https://yourdomain.com",
"https://sub.yourdomain.com",
]
const origin = request.headers.get("Origin")
const response = NextResponse.next()
if (allowedOrigins.includes(origin || "")) {
response.headers.set("Access-Control-Allow-Origin", origin || "")
response.headers.set(
"Access-Control-Allow-Methods",
"GET, POST, PUT, DELETE, OPTIONS"
)
response.headers.set(
"Access-Control-Allow-Headers",
"Content-Type, Authorization"
)
// If credentials are needed:
// response.headers.set('Access-Control-Allow-Credentials', 'true');
}
// Handle preflight requests
if (request.method === "OPTIONS") {
return new Response(null, {
status: 204,
headers: response.headers,
})
}
return response
}
export const config = {
matcher: "/api/:path*", // Apply to all API routes
}
Tatizo:
Access-Control-Allow-Origin: '*': Inaruhusu tovuti yoyote kufikia API, na hivyo kuweza kuruhusu tovuti zenye nia mbaya kuingiliana na API yako bila vikwazo.- Kuruhusu mbinu zote: Kuruhusu methods zote kunaweza kumruhusu mshambuliaji kufanya matendo yasiyotakikana.
Jinsi washambuliaji wanavyovitumia:
Washambuliaji wanaweza kutengeneza tovuti zenye madhumuni mabaya zinazofanya ombi kwa API yako, na hivyo kuweza kutumia vibaya uwezo kama upokeaji wa data, urekebishaji wa data, au kusababisha vitendo visivyotakikana kwa niaba ya watumiaji walioidhinishwa.
CORS - Misconfigurations & Bypass
Kufichuliwa kwa code ya server upande wa mteja
Ni rahisi kutumia code inayotumika kwenye server pia katika code inayofichuliwa na kutumika upande wa mteja; njia bora kuhakikisha kwamba faili ya code haitafichuliwa kwenye upande wa mteja ni kutumia import hii mwanzoni mwa faili:
import "server-only"
Faili Muhimu na Nafasi Zao
middleware.ts / middleware.js
Location: Mzizi wa mradi au ndani ya src/.
Kusudi: Inaendesha msimbo upande wa server kabla ya ombi kushughulikiwa, ikiruhusu kazi kama uthibitishaji, redirects, au kubadilisha majibu.
Mtiririko wa Utekelezaji:
- Ombi linalokuja: Middleware inakata ombi.
- Usindikaji: Inafanya operesheni kulingana na ombi (mfano, kukagua uthibitishaji).
- Urekebishaji wa Majibu: Inaweza kubadilisha majibu au kupeleka udhibiti kwa handler inayofuata.
Mifano ya Matumizi:
- Kupeleka watumiaji wasio na uthibitishaji.
- Kuongeza headers zilizobinafsishwa.
- Kurekodi maombi.
Mfano wa Usanidi:
// middleware.ts
import { NextResponse } from "next/server"
import type { NextRequest } from "next/server"
export function middleware(req: NextRequest) {
const url = req.nextUrl.clone()
if (!req.cookies.has("token")) {
url.pathname = "/login"
return NextResponse.redirect(url)
}
return NextResponse.next()
}
export const config = {
matcher: ["/protected/:path*"],
}
next.config.js
Location: Mzizi wa mradi.
Purpose: Kusanidi tabia za Next.js, kuruhusu au kuzima vipengele, kubadilisha webpack configurations, kuweka environment variables, na kusanidi vipengele kadhaa vya usalama.
Key Security Configurations:
Vichwa vya Usalama
Vichwa vya usalama huimarisha usalama wa programu yako kwa kuelekeza vivinjari jinsi ya kushughulikia maudhui. Husaidia kupunguza mashambulizi mbalimbali kama Cross-Site Scripting (XSS), Clickjacking, na MIME type sniffing:
- Content Security Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Strict-Transport-Security (HSTS)
- Referrer Policy
Mifano:
// next.config.js
module.exports = {
async headers() {
return [
{
source: "/(.*)", // Apply to all routes
headers: [
{
key: "X-Frame-Options",
value: "DENY",
},
{
key: "Content-Security-Policy",
value:
"default-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval';",
},
{
key: "X-Content-Type-Options",
value: "nosniff",
},
{
key: "Strict-Transport-Security",
value: "max-age=63072000; includeSubDomains; preload", // Enforces HTTPS
},
{
key: "Referrer-Policy",
value: "no-referrer", // Completely hides referrer
},
// Additional headers...
],
},
]
},
}
Mipangilio ya Uboreshaji wa Picha
Next.js huboresha picha kwa ajili ya utendaji, lakini mipangilio isiyofaa inaweza kusababisha udhaifu wa usalama, kama kuruhusu vyanzo visivyo vya kuaminika kuingiza yaliyomo hatarishi.
Mfano wa Mpangilio Mbaya:
// next.config.js
module.exports = {
images: {
domains: ["*"], // Allows images from any domain
},
}
Tatizo:
'*': Inaruhusu picha kupakiwa kutoka kwa chanzo chochote cha nje, ikiwa ni pamoja na vikoa visivyoaminika au vya ujeuri. Washambuliaji wanaweza kuweka picha zenye payload za ujeuri au maudhui yanayowadanganya watumiaji.- Shida nyingine inaweza kuwa kuruhusu domaini ambapo mtu yeyote anaweza kupakia picha (kama
raw.githubusercontent.com)
Jinsi washambuliaji wanavyovitumia:
Kwa kuingiza picha kutoka vyanzo vya ujeuri, washambuliaji wanaweza kufanya mashambulizi ya phishing, kuonyesha taarifa za kudanganya, au kutumia udhaifu katika maktaba za kuonyesha picha.
Ufunuo wa Variable za Mazingira
Dhibiti taarifa nyeti kama API keys na database credentials kwa usalama bila kuzifunua kwa client.
a. Kufunua Vigezo Nyeti
Mfano wa Usanidi Mbaya:
// next.config.js
module.exports = {
env: {
SECRET_API_KEY: process.env.SECRET_API_KEY, // Exposed to the client
NEXT_PUBLIC_API_URL: process.env.NEXT_PUBLIC_API_URL, // Correctly prefixed for client
},
}
Tatizo:
SECRET_API_KEY: Bila kiambishiNEXT_PUBLIC_, Next.js haiwafichi variables kwa client. Hata hivyo, ikiwa kwa bahati mbaya imewekwa kiambishi (kwa mfano,NEXT_PUBLIC_SECRET_API_KEY), inakuwa inapatikana upande wa client.
Jinsi washambuliaji wanavyovitumia vibaya:
Iwapo variables nyeti zitatangazwa kwa client, washambuliaji wanaweza kuzichukua kwa kuchunguza code ya upande wa client au network requests, na kupata ufikiaji usioidhinishwa kwa APIs, databases, au huduma nyingine.
Uelekezaji (Redirects)
Simamia uelekezaji na rewriting za URL ndani ya application yako, ukihakikisha watumiaji wanaelekezwa ipasavyo bila kuanzisha open redirect vulnerabilities.
a. Open Redirect Vulnerability
Mfano wa Mipangilio Mbaya:
// next.config.js
module.exports = {
async redirects() {
return [
{
source: "/redirect",
destination: (req) => req.query.url, // Dynamically redirects based on query parameter
permanent: false,
},
]
},
}
Tatizo:
- Lengo Dinamiki: Inaruhusu watumiaji kubainisha URL yoyote, ikiruhusu open redirect attacks.
- Kumwamini Ingizo la Mtumiaji: Kupeleka tena kwa URLs zinazotolewa na watumiaji bila uthibitisho kunaweza kusababisha phishing, malware distribution, au credential theft.
Jinsi washambuliaji wanavyovitumia:
Washambuliaji wanaweza kutengeneza URL zinazoonekana kuanzia kutoka domain yako lakini kupeleka watumiaji kwa tovuti zenye nia mbaya. Kwa mfano:
https://yourdomain.com/redirect?url=https://malicious-site.com
Watumiaji wanaomuamini domain asilia wanaweza bila kutambua kuingia kwenye tovuti zenye madhara.
Webpack Configuration
Binafsisha Webpack configurations kwa application yako ya Next.js; hizi zinaweza bila kukusudia kuleta udhaifu wa usalama ikiwa hazitashughulikiwa kwa uangalifu.
a. Kufichua Moduli Nyeti
Mfano Mbaya wa Mipangilio:
// next.config.js
module.exports = {
webpack: (config, { isServer }) => {
if (!isServer) {
config.resolve.alias["@sensitive"] = path.join(__dirname, "secret-folder")
}
return config
},
}
Tatizo:
- Kuonyesha Njia Zenye Usiri: Aliasing sensitive directories na kuruhusu client-side access kunaweza leak taarifa za siri.
- Kujumuisha Siri: Ikiwa mafaili nyeti yamejumuishwa kwa client, yaliyomo yao yanapatikana kupitia source maps au kwa kuchunguza client-side code.
Jinsi washambuliaji wanavyovitumia:
Washambuliaji wanaweza kupata au kujenga upya muundo wa saraka wa application, na hivyo kupata na exploit mafaili au data nyeti.
pages/_app.js and pages/_document.js
pages/_app.js
Madhumuni: Inabadilisha default App component, ikiruhusu global state, styles, na layout components.
Matumizi:
- Kuingiza global CSS.
- Kuongeza layout wrappers.
- Kuingiza state management libraries.
Mfano:
// pages/_app.js
import "../styles/globals.css"
function MyApp({ Component, pageProps }) {
return <Component {...pageProps} />
}
export default MyApp
pages/_document.js
Madhumuni: Inabadili Document chaguo-msingi, ikiruhusu kubinafsisha tagi za HTML na Body.
Matumizi:
- Kurekebisha tagi
<html>au<body>. - Kuongeza meta tagi au script maalum.
- Kuunganisha fonti za wahusika wa tatu.
Mfano:
// pages/_document.js
import Document, { Html, Head, Main, NextScript } from "next/document"
class MyDocument extends Document {
render() {
return (
<Html lang="en">
<Head>{/* Custom fonts or meta tags */}</Head>
<body>
<Main />
<NextScript />
</body>
</Html>
)
}
}
export default MyDocument
Custom Server (Optional)
Madhumuni: Ingawa Next.js inakuja na built-in server, unaweza kuunda custom server kwa matumizi ya hali ya juu kama custom routing au kuunganisha na existing backend services.
Kumbuka: Kutumia custom server kunaweza kupunguza chaguzi za deployment, hasa kwenye platforms kama Vercel ambazo zinaoptimize kwa Next.js's built-in server.
Mfano:
// server.js
const express = require("express")
const next = require("next")
const dev = process.env.NODE_ENV !== "production"
const app = next({ dev })
const handle = app.getRequestHandler()
app.prepare().then(() => {
const server = express()
// Custom route
server.get("/a", (req, res) => {
return app.render(req, res, "/a")
})
// Default handler
server.all("*", (req, res) => {
return handle(req, res)
})
server.listen(3000, (err) => {
if (err) throw err
console.log("> Ready on http://localhost:3000")
})
})
Mambo ya Ziada ya Usanifu na Usalama
Variable za Mazingira na Usanidi
Madhumuni: Kusimamia taarifa nyeti na mipangilio ya usanidi nje ya codebase.
Mbinu Bora:
- Tumia faili
.env: Hifadhi vigezo kama API keys katika.env.local(imeondolewa kwenye version control). - Pata vigezo kwa usalama: Tumia
process.env.VARIABLE_NAMEkupata vigezo vya mazingira. - Usifunue siri kwa client: Hakikisha vigezo nyeti vinatumika upande wa server tu.
Mfano:
// next.config.js
module.exports = {
env: {
API_KEY: process.env.API_KEY, // Accessible on both client and server
SECRET_KEY: process.env.SECRET_KEY, // Be cautious if accessible on the client
},
}
Kumbuka: Ili kuzuia variables ziwe upande wa server tu, ziondoe kutoka kwenye env object au ziweke na prefix NEXT_PUBLIC_ ili ziweze kuonekana kwa client.
Uthibitishaji na Uidhinishaji
Mbinu:
- Session-Based Authentication: Tumia cookies kusimamia vikao vya watumiaji.
- Token-Based Authentication: Tekeleza JWTs kwa uthibitishaji usiohifadhi state (stateless).
- Third-Party Providers: Unganisha na OAuth providers (mfano, Google, GitHub) ukitumia maktaba kama
next-auth.
Mambo ya Usalama:
- Secure Cookies: Weka attributes za
HttpOnly,Secure, naSameSite. - Password Hashing: Daima hash nywila kabla ya kuzihifadhi.
- Input Validation: Zuia injection attacks kwa kuthibitisha na kusafisha inputs.
Mfano:
// pages/api/login.js
import { sign } from "jsonwebtoken"
import { serialize } from "cookie"
export default async function handler(req, res) {
const { username, password } = req.body
// Validate user credentials
if (username === "admin" && password === "password") {
const token = sign({ username }, process.env.JWT_SECRET, {
expiresIn: "1h",
})
res.setHeader(
"Set-Cookie",
serialize("auth", token, {
path: "/",
httpOnly: true,
secure: true,
sameSite: "strict",
})
)
res.status(200).json({ message: "Logged in" })
} else {
res.status(401).json({ error: "Invalid credentials" })
}
}
Uboreshaji wa Utendaji
Mikakati:
- Image Optimization: Tumia komponenti ya Next.js
next/imagekwa uboreshaji wa picha kiotomatiki. - Code Splitting: Tumia dynamic imports kugawanya msimbo na kupunguza muda wa mzigo wa awali.
- Caching: Tekeleza mikakati ya caching kwa majibu ya API na rasilimali statiki.
- Lazy Loading: Paka komponenti au rasilimali tu wakati zinapohitajika.
Mfano:
// Dynamic Import with Code Splitting
import dynamic from "next/dynamic"
const HeavyComponent = dynamic(() => import("../components/HeavyComponent"), {
loading: () => <p>Loading...</p>,
})
Next.js Server Actions Enumeration (hash to function name via source maps)
Next.js ya kisasa inatumia βServer Actionsβ ambazo zinaendeshwa kwenye server lakini zinaamuliwa kutoka kwa client. Katika production, miito hii haijaonekana wazi: POST zote zinafika kwenye endpoint moja ya kawaida na zinafahamishwa kwa hash maalum ya build inayotumwa kwenye Next-Action header. Mfano:
POST /
Next-Action: a9f8e2b4c7d1...
Wakati productionBrowserSourceMaps imewezeshwa, minified JS chunks zinaoita createServerReference(...) ambazo leak muundo wa kutosha (plus associated source maps) ili kupata mapping kati ya action hash na jina la function la asili. Hii inakuwezesha kutafsiri hashes zilizoonekana katika Next-Action kuwa malengo mahususi kama deleteUserAccount() au exportFinancialData().
Mbinu ya uchimbaji (regex on minified JS + optional source maps)
Tafuta JS chunks zilizopakuliwa kwa createServerReference na toa hash na function/source symbol. Mifumo miwili inayofaa:
# Strict pattern for standard minification
createServerReference\)\"([a-f0-9]{40,})\",\w+\.callServer,void 0,\w+\.findSourceMapURL,\"([^\"]+)\"\)
# Flexible pattern handling various minification styles
createServerReference[^\"]*\"([a-f0-9]{40,})\"[^\"]*\"([^\"]+)\"\s*\)
- Kikundi 1: server action hash (40+ hex chars)
- Kikundi 2: alama au njia inayoweza kutatuliwa hadi kazi ya asili kupitia source map inapopatikana
Ikiwa script inatangaza source map (maoni mwishoni //# sourceMappingURL=<...>.map), ipakue na tatua alama/njΓa hadi jina la kazi ya asili.
Practical workflow
- Ugunduzi usioingilia wakati wa kuvinjari: rekodi requests zenye headers
Next-Actionna JS chunk URLs. - Pakua JS bundles zilizotajwa na faili za
*.mapzinazoambatana (zinapopatikana). - Endesha regex hapo juu ili kujenga kamusi ya hashβname.
- Tumia kamusi kwa kuzingatia upimaji:
- Triage inayotegemea majina (mfano,
transferFunds,exportFinancialData). - Fuatilia coverage katika builds kwa jina la function (hashes rotate across builds).
Exercising hidden actions (template-based request)
Chukua POST halali uliyoiona in-proxy kama template na badilisha thamani ya Next-Action ili kulenga action nyingine uliyogundua:
# Before
Next-Action: a9f8e2b4c7d1
# After
Next-Action: b7e3f9a2d8c5
Rudisha katika Repeater na jaribu idhinisho, uthibitishaji wa pembejeo na mantiki ya biashara ya actions ambazo vinginevyo haviwezi kufikiwa.
Uendeshaji kiotomatiki wa Burp
- NextjsServerActionAnalyzer (Burp extension) inaotomatisha yaliyotajwa hapo juu katika Burp:
- Inapitia historia ya proxy kwa JS chunks, hutoa entries za
createServerReference(...), na husoma source maps inapopatikana. - Inadumisha kamusi inayoweza kutafutwa ya hashβfunction-name na huondoa dupliketi katika builds kwa jina la function.
- Inaweza kupata POST ya template halali na kufungua tab ya Repeater tayari-kutumwa na hash ya action lengwa imebadilishwa.
- Repo: https://github.com/Adversis/NextjsServerActionAnalyzer
Maelezo na vikwazo
- Inahitaji
productionBrowserSourceMapskuwezeshwa katika production ili kurejesha majina kutoka kwa bundles/source maps. - Ufunuo wa function-name sio udhaifu wa usalama kwa mwenyewe; utumie kuongoza ugunduzi na kujaribu idhinisho ya kila action.
Marejeo
- Pentesting Next.js Server Actions β A Burp Extension for Hash-to-Function Mapping
- NextjsServerActionAnalyzer (Burp extension)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na π¬ kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter π¦ @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.