the CRITICAL 9.1 severity Next.js vulnerability

Kinda crazy how vulnerabilities like this still make it into production… Makes you wonder how many more are waiting to be discovered.

gameplay

I maybe understand about 30% of the content of your vids, but that doesn't stop me from watching LOL. The way you break everything down step by step is amazing. I have learned so much just by watching.

chrissiriska

If you've ever worked with NextJS they're constantly experimenting with new ways to lock devs into Vercel with various hyped up ideas executed by a team of bright but too-young-to-be-wise engineering team. If your app has to live for more than a 6 months you are forced into constant rewrites to keep up with the endless paradigm shifts to stay current. A lot of promised features are broken or don't work right for many versions. I'm sure there are many, many more vulnerabilities given the nature of what NextJS is.

furycorp

I have one application that is getting ready for production using next.js specifically for authentication using Authorization Code flow with PKCE. I'm really glad I saw this before we went to production.

BitwiseMobile

Just been considering the problem here. It Seems odd that skipping the authentication middleware would allow full access as that middleware should drop you some sort of auth token cookie, meaning that you could see the admin page, but api functions shouldn't work as they should always check that you are authenticated. This is how some sites used to work, they would have all the admin functions and admin page hidden if you weren't logged in but still served. It didn't matter too much as none of the functions would do anything server side without logging in. I did find a site where one of the functions wasn't properly secured, but that was a privilege issue rather than a login one

threeMetreJim

When it was first released they promoted their own WAF in the changelog.. The ended up removing that.. but I think that really soured peoples reaction to the issue. "We could have saved you from the issue we created.. "

Mattx

Appreciate the demonstration, that's pretty cool.

raanonyms

this guy is amazing, so crystal clear presentation

YoannGasque-vu

There is a persistent problem I've seen with many front end-developers - the unwillingness to think about what precisely headers do, when they can be set, etc. I've seen a "lock out the world" vulnerability due to mindlessly adopting a service mesh config that should never have *set* X-Forwarded-For, but rather replace it. This is the "platform team throw over the wall" antipattern, of course.

logiciananimal

Old John Hammond vibe. Keep continue this type of contents

pegbangla

Was going to make a video on this today! Thanks John.

VulnerableU

Oh beautiful, time to start looking for Nextjs web apps to screw with!

Twisted_Code

Lowlevellearning did his vibecoding marathon to get his opinion on it, and in a follow up video he specifies that he really does not like it

teemothetroll

thanks this gave me a lot of ideas(for bug bounty), keep making these videos

bountyproofs

I'm glad that my whole dev team in the company both FE and BE all hate Nextjs. If we gonna do a react project, just use vite and bun.

DuK-

I have been binge watching the vibe steam for the primeagen, they def vibin lol

timthezombie

John can you do a general and realistic cybersecurity roadmap video I am asking because not everyone in yt is not worth watching. The few we can trust are people like you who genuinely wanna help us

Thepassionatedone

It would be neat to put out a full video on Vibe coding, I have never seen it before... not sure how I feel about it being utilized with the whole AI dilemma but it could be neat to have more information on it in general, especially for personal projects.

socksman

That looks real bad. Always keep your shit updated folks.

GrossePennnis-ko

@john. What LLM setup did you use to make it create all the project files so neatly saved into the folder? It looked amazing.

andersmelander