- This Week on Absolute AppSec
- Posts
- Episode #280
Episode #280
Middleware Vulnerabilities, Identifying Enumeration with LLMs
Seth Law
March 28, 2025
This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) return with an episode dedicated to a review of the recent Next.js middleware vulnerability and how it impacts application security and cybersec as a whole. Over-dependence on third-party software, accompanied by agile development, can lead to devastating results when security flaws are identified. They follow up with a demo of using LLMs to analyze HTTP sessions for user enumeration flaws as a sneak peek into an upcoming talk Seth will be giving in a few weeks for BSidesSLC. To watch this episode or any other episode, go to https://www.youtube.com/@AbsoluteAppSec, or find us wherever you get your podcasts.
As a first topic, the hosts discuss the significant CVE affecting Next.js applications, which allows attackers to bypass authorization controls using a specific HTTP header. The vulnerability arises from the framework’s middleware system, where a custom header called X-Middleware-Subrequest is used to manage internal processing. Because this header was initially designed for internal functionality, its exploitation highlights a critical oversight in the security model of Next.js. The exploit works by crafting malicious requests with the X-Middleware-Subrequest header set to simulate legitimate internal traffic. When Next.js detects this header, it skips the usual authorization and validation steps, proceeding directly to the intended application logic. Attackers can manipulate this header to convince the application that requests originate from a trusted internal source, effectively bypassing authorization and gaining access. The inherent flaw lies in the framework’s misplaced trust in a client-supplied header, demonstrating the dangers of assuming internal-only behavior without robust validation.
“A lot of times, we don’t necessarily know what’s going on underneath the hood. We trust that people, quote-unquote, are looking at open source and making sure that it’s secure. But time and time again, we have issues similar to this…where it turns out to be really easy to bypass some sort of security control because we just never thought about it, right? […] The whole idea behind Vibe coding and not having to actually be a coder to produce an application, like low-code platforms in general, is great up until you have a misconfiguration…, up until you have a CVE that all of a sudden exposes hundreds of thousands of sites to very real-world security problems.”
The discussion further touches on the dangers of using middleware for authorization and session management. Middleware in frameworks such as Next.js often serves as a convenient mechanism for routing and preprocessing requests, but it is not designed to enforce critical security functions. Relying on middleware for authorization can lead to severe vulnerabilities, especially when misconfigurations or oversights occur. Instead, the hosts recommend implementing dedicated authorization layers separate from routing logic. They also emphasize the importance of layered security measures, comprehensive code reviews, and continuous monitoring to detect and respond to malicious activity because the middleware itself isn’t the problem, but the execution and implementation can lead to these kinds of problems. Additionally, applying Web Application Firewall (WAF ) rules to block malicious headers and ensuring rapid patch deployment are recommended as immediate mitigations. This led to a discussion about the importance of community engagement and the role it plays in advancing application security. Ken and Seth emphasized how collaboration within the cybersecurity community leads to faster identification and mitigation of vulnerabilities. The researchers who disclose security issues, develop tools, and share their findings through blogs and conference talks are providing invaluable contributions to the wider community. Seth and Ken encourage others to help contribute to open-source projects, utilize community-created tools like vulnerability scanners, and find corners of the internet which feature community and camaraderie, like the Absolute AppSec Slack channel. This collective exchange of knowledge strengthens the industry’s resilience against cyber threats and ensures a more secure digital environment.
“Over time, we’ve manually been creating checklists of things that we need to go back and investigate, right? And when we create those manually, we’ve all limited by the amount of time we have and the experience that we have against a specific application framework, whatever it is. But if we can harness something like an LLM in this case, to actually push those boundaries and speed up that analysis, […] so that I can spend my time actually exploiting as opposed to just gathering data, […] we become more efficient.”
Seth and Ken also explore the role of AI in detecting user enumeration flaws through dynamic assessments, teasing a talk Seth will be giving at BSides Salt Lake City in a few weeks. User enumeration occurs when attackers can infer valid usernames from application responses, often exploiting differences in error messages or response times. Traditional detection methods can be time-consuming and prone to error, but AI-powered analysis has the possibility to enhance this process. By analyzing HTTP sessions and identifying patterns in responses, LLMs can quickly detect inconsistencies that indicate user enumeration vulnerabilities. AI models excel at recognizing these subtle variations that may be difficult for human analysts to catch, reducing detection time and improving accuracy. Incorporating AI into security workflows not only enhances threat detection but also allows security teams to focus on more complex tasks, making AI a valuable asset in securing applications.
This episode was sponsored by Redpoint Security. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security.
The Springtime sunshine can be sneakily scorch noses that have been too accustomed to a winter spent indoors. In which case, maybe it’s time to consider a hat to keep you safe from the rays. Visit the merch store to support the show and be prepared for the year’s upcoming increasing sun exposure.
And, as always, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=_wEQi8ccvV4 - Episode #163 - IT Army, Secrets, Access Control – In this episode, Seth and Ken fielded a question from the livestream audience to discuss Broken Access Control and Auth providers as well as a range of ways applications can get it wrong and expose its data and users to various threats.
https://www.youtube.com/watch?v=4lFgAMLSSjw - After Dark Episode #1 – Seth and Ken demonstrate the Practical Secure-Code Review methodology they developed by working through and open-source repository looking for potential, but now patched bugs. Based on the authentication flow found in the code, Seth found and demonstrated that he could impersonate another user by exploiting the application’s trust of user input.
https://www.youtube.com/watch?v=RqsoNMjKTaw - Episode # 155 - Episode 155 - Log4Hell, Boring AppSec, Crocs and SOCs – One significant CVE deserves our reminiscences on another. This is the episode where Seth and Ken discuss Log4J while a range of organizations were burning midnight oil to put fixes in place. We hope that you all aren’t similarly all-hands with any current issues.
Absolute AppSec Happenings
https://portswigger.net/blog/behind-the-scenes-of-burp-ai-how-we-built-it-and-whats-next - Portswigger broadcast a webinar on Thursday this week with the attractive title The Future of AppSec: PortSwigger's Vision. We’re still waiting on a recap write-up of the thoughts shared there, but this article from last week presents some of the Portswigger’s team’s work on Burp AI, which featured in the webinar discussion. For fuller flavor of the event, Andrew Wilson helpfully ran a live commentary on the webinar in the Absolute AppSec Slack. So stop in there to see how everyone is feeling about the AppSec future.
https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/ - “A Sneaky Phish Just Grabbed my Mailchimp Mailing List” by famed haveibeenpwned operator Troy Hunt. Long an authority and go-to resource for explicating and providing details in the aftermath of publicized breaches, Troy Hunt explains here how his tiredness at an inopportune moment made him more susceptible to being successfully phished. So, many of the podcasts rules-of-thumb remain true, humans remain a security vulnerability, so you’re better off having plans in place for eventual compromise.
https://www.dryrun.security/blog/dryrun-security-vs-snyk-codeql-sonarqube-and-semgrep---python-django-security-analysis-showdown - This is a followup in DryRun Security’s series comparing their tool output with traditional Static Analysis Tools. Utilization of LLMs to identify source code vulnerabilities seem to have real advantages over traditional pattern and AST-parsing analysis.
Upcoming Events
Where in the world are Seth and Ken?
April 10-11, 2025 - BSides SLC - A new bit of research is being offered here at BSides SLC by Seth and Redpoint Security principal consultant Justin Larson. If you’re in Salt Lake, come see, “Faces in the Fog: Identifying Users through Unconventional Means”
April 26-27, 2025 - BSides San Francisco 2025 - State of (Absolute) AppSec - Ken and Seth will be hosting a panel on the current state of the application security industry with help from a few friends. Expect spicy takes, opinions, and wild predictions. If you have questions you would like to cover, submit them via this form.
April 28-May 1, 2025 - RSA - Seth and Ken will be in the environs as well for RSA, with a special event that will be taking place on April 28th (“Aegis of Tomorrow: An AI & Security Summit”). Reach out to us if the private event (with Seth, Ken, Jason Haddix, and Daniel Miessler among others) looks like it could be of interest to you, and generally let us know if you’ll be around during the conference and you’d like to catch up.