[–] cjbprime 1y ago ↗ Looks like it was possible to include the `x-middleware-subrequest` header in your request, tricking the state machine into thinking you'd passed auth already.(Don't use the user input itself to encode state!)
[–] theschmed 1y ago ↗ More details here: https://zhero-web-sec.github.io/research-and-things/nextjs-a...Hat tip ash: https://news.ycombinator.com/item?id=43451485
4 comments
[ 12.5 ms ] story [ 1237 ms ] thread(Don't use the user input itself to encode state!)
Hat tip ash: https://news.ycombinator.com/item?id=43451485