Login
Posted by Matteo Beccati on Oct 25
========================================================================
Posted by Matteo Beccati on Oct 25
========================================================================
It was the Synthient threat data that ate most of my time this week, and it continues to do so now, the weekend after recording this video. Data like this is equal parts enormously damaging to victims and frustratingly noisy to process. I have to be confident enough that it's new enough, legit enough and impactful enough to justify loading and that the value presented to breach victims sufficiently offsets the inevitable chorus of "what am I meant to do with this, tell me exactly what password was exposed for my record". It's an expensive exercise too; we're currently running an Azure SQL Hyperscale database at 80 cores to analyse the ~2 billion credential stuffing email addresses in this corpus. That's 2 billion unique email addresses too ๐ฎ More on that in the next video, let's just work out if it's going to go live in the system first.
The UK's Home Secretary should use her powers to push the tech industry to deploy stronger technical measures against the surge in phone thefts, according to a House of Commons committee.โฆ
Next.js server actions present an interesting challenge during penetration tests. These server-side functions appear in proxy tools as POST requests with hashed identifiers like a9fa42b4c7d1 in the Next-Action header, making it difficult to understand what each request actually does. When applications have productionBrowserSourceMaps enabled, this Burp extension NextjsServerActionAnalyzer bridges that gap by automatically mapping these hashes to their actual function names.
During a typical web application assessment, endpoints usually have descriptive names and methods: GET /api/user/1 clearly indicates its purpose. Next.js server actions work differently. They all POST to the same endpoint, distinguished only by hash values that change with each build. Without tooling, testers must manually track which hash performs which actionโa time-consuming process that becomes impractical with larger applications.
The extension's effectiveness stems from understanding how Next.js bundles server actions in production. When productionBrowserSourceMaps is enabled, JavaScript chunks contain mappings between action hashes and their original function names.
The tool simply uses flexible regex patterns to extract these mappings from minified JavaScript.
The extension automatically scans proxy history for JavaScript chunks, identifies those containing createServerReference calls, and builds a comprehensive mapping of hash IDs to function names.
Rather than simply tracking which hash IDs have been executed, it tracks function names. This is important since the same function might have different hash IDs across builds, but the function name will remain constant.
For example, if deleteUserAccount() has a hash of a9f8e2b4c7d1 in one build and b7e3f9a2d8c5 in another, manually tracking these would see these as different actions. The extension recognizes they're the same function, providing accurate unused action detection even across multiple application versions.
A useful feature of the extension is its ability to transform discovered but unused actions into testable requests. When you identify an unused action like exportFinancialData(), the extension can automatically:
This removes the manual work of manually creating server action requests.
We recently assessed a Next.js application with dozens of server actions. The client had left productionBrowserSourceMaps enabled in their production environmentโa common configuration that includes debugging information in JavaScript files. This presented an opportunity to improve our testing methodology.
Using the Burp extension, we:
FreshRSS updateUserProfile() and fetchReportData()
The function name mapping transformed our testing approach. Instead of tracking anonymous hashes, we could see that b7e3f9a2 mapped to deleteUserAccount() and c4d8b1e6 mapped to exportUserData(). This clarity helped us create more targeted test cases.
updated Microsoft fixed a security hole in Microsoft 365 Copilot that allowed attackers to trick the AI assistant into stealing sensitive tenant data โ like emails โ via indirect prompt injection attacks.โฆ
Microsoft has released an out-of-band update to patch a critical vulnerability in Windows Server Update Services (WSUS).โฆ
UK Prime Minister Keir Starmer has relaunched his digital ID scheme as something that will make people's lives easier, less than four weeks after announcing it as a measure to tackle illegal working.โฆ
US defense technology biz Shield AI claims it can build a jet-powered vertical take-off and landing (VTOL) autonomous fighter drone that doesn't need a runway to operate.โฆ
Iran's favorite muddy-footed cyberespionage crew is at it again, this time breaching more than 100 government entities across the Middle East and North Africa, according to researchers at Group-IB.โฆ
Federal prosecutors have charged a former general manager of US government defense contractor L3Harris's cyber arm Trenchant with selling secrets to an unidentified Russian buyer for $1.3 million.โฆ
The Canadian outpost of retailer Toys R Us on Thursday notified customers that attackers accessed a database, stole some of their personal information, then posted the data online.โฆ
America's once-ambitious cyber defences are starting to rust, according to the latest annual report from the US Cyberspace Solarium Commission (CSC), which warns that policy momentum has slowed and even slipped backwards thanks to Trump-era workforce and budget cuts.โฆ
