ReCACHE - Excessive Reflection, Type Confusion, and 0-Click ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zhero-web-sec.github.io/research-and-things/re-cache-excessive-reflection-type-confusion-and-0-click-sxss-on-nextjs
• Blog Title: Re:CACHE - Excessive Reflection, Type Confusion, and 0-Click SXSS on Next.js
• Suggested Section: Pentesting Web -> Cache Poisoning and Cache Deception; Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> NextJS; Pentesting Web -> XSS

🎯 Content Summary

Overview

The blog describes a real-world zero-click stored XSS (SXSS) chain against a Next.js App Router application deployed behind Cloudflare cache. The root application mistake was unusual but highly dangerous: incoming request headers were mirrored into response headers. This allowed an attacker to inject response headers such as Content-Type and Refresh. Combined with Next.js React Serve...

🔧 Technical Details

Response-header injection via request-header reflection: If an application mirrors incoming request headers into outgoing response headers, attacker-controlled request headers can become trusted response headers. This is dangerous even without HTTP response splitting because framework or application code may preserve attacker-set values. In this case, injecting Content-Type: text/html changed how the browser interpreted a framework-generated response, and injecting Refresh: 0; URL created browser-side navigation from a normal page to an attacker-selected URL.

Next.js App Router RSC content-type confusion: In Next.js App Router, sending Rsc: 1 can request a React Server Component payload normally served as text/x-component. Dynamic RSC payloads may include URL parameters after the __PAGE__ marker, and characters such as < and > may remain unescaped ...

🤖 Agent Actions

Updated src/network-services-pentesting/pentesting-web/nextjs.md.

Added a new App Router technique covering:

• request-header reflection into response headers
• Rsc: 1 / React Server Component response abuse
• Content-Type: text/html override causing RSC-to-HTML type confusion
• cache poisoning turning RXSS into stored XSS
• zero-click delivery via cached Refresh on 200 OK
• triage tips for Vary: Rsc, x-nextjs-prerender, CDN cache headers, and middleware/proxy matchers

Also appended references for:

• the zhero blog post
• MDN Refresh
• Next.js proxy matcher docs

Only this file was changed.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zhero-web-sec.github.io/research-and-things/re-cache-excessive-reflection-type-confusion-and-0-click-sxss-on-nextjs

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Cache Poisoning and Cache Deception; Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> NextJS; Pentesting Web -> XSS".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0