I am running a small hobby site which is being hit by run of the mill bot attacks looking for a php / wordpress vulnerabilities. WAF is currently blocking 1k to 2k requests a day,. The site is self contained with no external connections to db’s, images, fonts, login ect. plain static site with parallel routes for modals.
Today I noticed what I believe is an XXS attack specifically targeting NextJs? I dont know, I have never seen paths like this in my top paths.
This is the sort of thing I am starting to see in my Usage → “Top Paths”
These appear to be valid paths in my project
wwwMYURLcom/script%3E%3Cscript%3E%28self.__next_f=self.__next_f%7C%7C%5B%5D%29.push%28%5B0%5D%29%3C/script%3E%3Cscript%3Eself.__next_f.push%28%5B1,%221:I%5B2328,%5B%5D,%5C%22HTTPAccessFallbackBoundary%5C%22%5D%5Cn2:I%5B8173,%5B%5C%22844%5C%22,%5C%22static/chunks/ee560e2c-a4193ca9315437fe.js%5C%22,%5C%228173%5C%22,%5C%22static/chunks/8173-5007b584879b4f93.js%5C%22,%5C%22432%5C%22,%5C%22static/chunks/432-ba16644f3c394f77.js%5C%22,%5C%222592%5C%22,%5C%22static/chunks/2592-a7657808e18ed2c5.js%5C%22,%5C%228917%5C%22,%5C%22static/chunks/8917-ff64b18d2208d623.js%5C%22,%5C%227494%5C%22,%5C%22static/chunks/app/%28mainRoutes%29/layout-9d55fbeb236e71e1.js%5C%22%5D,%5C%22%5C%22%5D%5Cn3:I%5B5244,%5B%5D,%5C%22%5C%22%5D%5Cn4:I%5B3866,%5B%5D,%5C%22%5C%22%5D%5Cn5:%5C%22$Sreact.fragment%5C%22%5Cn6:I%5B9214,%5B%5C%22844%5C%22,%5C%22static/chunks/ee560e2c-a4193ca9315437fe.js%5C%22,%5C%228173%5C%22,%5C%22static/chunks/8173-5007b584879b4f93.js%5C%22,%5C%22432%5C%22,%5C%22static/chunks/432-ba16644f3c394f77.js%5C%22,%5C%222592%5C%22,%5C%22static/chunks/2592-a7657808e18ed2c5.js%5C%22,%5C%228917%5C%22,%5C%22static/chunks/8917-ff64b18d2208d623.js%5C%22,%5C%227494%5C%22,%5C%22static/chunks/app/%28mainRoutes%29/layout-9d55fbeb236e71e1.js%5C%22%5D,%5C%22PreloadChunks%5C%22%5D%5Cn9:I%5B7970,%5B%5C%22844%5C%22,%5C%22static/chunks/ee560e2c-a4193ca9315437fe.js%5C%22,%5C%228173%5C%22,%5C%22static/chunks/8173-5007b584879b4f93.js%5C%22,%5C%227970%5C%22,%5C%22static/chunks/7970-059bcfefe1ab4b4d.js%5C%22,%5C%22432%5C%22,%5C%22static/chunks/432-ba16644f3c394f77.js%5C%22,%5C%222592%5C%22,%5C%22static/chunks/2592-a7657808e18ed2c5.js%5C%22,%5C%228917%5C%22,%5C%22static/chunks/8917-ff64b18d2208d623.js%5C%22,%5C%228974%5C%22,%5C%22static/chunks/app/page-5806fb8f3c4d8070.js
wwwMYURLcom/app/components/Social/Social%5C%22%5D%7D%5D,%5C%22$L16%5C%22%5D%7D%5D%5D%7D%5D%7D%5D%5Cn%22%5D%29%3C/script%3E%3Cscript%3Eself.__next_f.push%28%5B1,%2217:I%5B6558,%5B%5C%22844%5C%22,%5C%22static/chunks/ee560e2c-a4193ca9315437fe.js%5C%22,%5C%228173%5C%22 …
And these paths that are not in my project, found them highly unusual because I have never seen these paths in previous attacks:
wwwMYURLcom/F9CD80F3-B79B-49AB-AD16-6F61BFFFC81B/netdefender/alert/images/bdicon.ico
wwwMYURLcom/F9CD80F3-B79B-49AB-AD16-6F61BFFFC81B/netdefender/alert/css/tl_style.css
wwwMYURLcom/0.6017172153596113
wwwMYURLcom/0.8735843480063348
Can anyone shed some light on this? I did not see paths like this in nextjs 14.
My CSP incorporates all these recommendations for non-nonce Configuring: Content Security Policy | Next.js and I have further restricted my CSP, the nextjs documented base was my starting point.
How concerned should I be?
While trying to sort out other bot attacks I have disabled Vercel Web Analytics. IIt appears to me that the malicious bots are skewing the web statistics, showing more visitors than there actually are? My mindset has been I would WAF the bad requests, re-enable the web analytics and see if it would give me more accurate data? Has anyone else had a similar experience?
Thx,
Earl