Digging for SSRF in NextJS apps
If you want to design a mostly static, modern landing page for your brand new business, what do you do? Ten years ago, it felt like every company was using a heavyweight CMS like Wordpress. As a hacker, the attack surface of CMS solutions is well understood. It feels like every day that some critical vulnerability is found in a CMS or CMS plugin.
However, in the modern era, companies are increasingly moving to more lightweight solutions. The past few years has seen an explosion of popularity in 'static' site generators, such as Nuxt, Hugo, and Gatsby. Perhaps the most popular of all is NextJS, which despite often being used for serving simple static content, has a plethora of server side features enabled by default. At Assetnote, we encounter sites running NextJS extremely often; in this blog post we will detail some common misconfigurations we find in NextJS websites, along with a vulnerability we found in the framework.
NextJS has an image optimization component built in and enabled by default. The idea is straightforward; if you have a large image <span class="code_single-line">duck.jpg</span> which you want to serve in a smaller size, or serve in a dynamic size, it would be wasteful to send the (possibly multi megabyte) image to the client and resize it using HTML; instead, you can write something in your React like:
/cdn.vox-cdn.com/uploads/chorus_asset/file/24580379/236602_Ozempic_Ads_HHerrera.jpeg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25456745/lcimg_bf284069_780c_4cac_bee8_b9c43514526b.jpeg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25456774/lcimg_e7ca8a26_fffb_4471_8e0d_181ed82a02c9.jpeg)
