Exploit Public-Facing Application

Attackers send crafted React Server Components Flight requests to public-facing endpoints (for example /_rsc) on vulnerable React/Next.js servers, gaining unauthenticated remote code execution.

Metadata

Severity: critical
Slug: exploit-public-facing-application

MITRE

T1190: Exploit Public-Facing Application
T1059.007: Command and Scripting Interpreter: JavaScript
T1059.001: Command and Scripting Interpreter: PowerShell
T1505.003: Server Software Component: Web Shell
T1552.001: Unsecured Credentials: Credentials In Files

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

easy

React2Shell.ir

JavaScript Easy Incident Response React NoCDE New

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.