daker52/nextjs-app-router-security-lab
GitHub: daker52/nextjs-app-router-security-lab
Stars: 0 | Forks: 0
# Next.js App Router Security Lab
**Hands-on vulnerable patterns and fixes for Next.js 16+ App Router — Server Actions, RSC boundaries, middleware, and secrets.**
[](https://nextjs.org/)
[](./LICENSE)
[](./modules)
[](https://github.com/daker52/nextjs-app-router-security-lab/actions)
[Quick start](#-quick-start) ·
[Modules](#-modules-mvp) ·
[Methodology](./docs/METHODOLOGY.md) ·
[Tool mapping](./docs/TOOL-MAPPING.md) ·
[Roadmap](./ROADMAP.md) ·
[Legal](./docs/LEGAL-AND-ETHICS.md)
**Related repos:** [Security Shield (secure baseline)](https://github.com/daker52/Next.js---Security-shield-list-help) · [Pentest Toolkit (OSS tools)](https://github.com/daker52/opensource-pentest-toolkit)
## Why this lab exists
Most security labs (DVWA, WebGoat, Juice Shop) target PHP or legacy stacks. **Next.js App Router** introduces new attack surfaces:
- **Server Actions** behave like public HTTP APIs
- **React Server Components** blur server/client data boundaries
- **Middleware matchers** are easy to misconfigure
This repository pairs each flaw with a **secure counterpart** and links to detection tools and production patterns.
flowchart LR
subgraph lab [This repo]
V[vulnerable variant]
S[secure variant]
end
subgraph ecosystem [Ecosystem]
PT[Pentest Toolkit]
SH[Security Shield]
end
V -->|exploit in lab| S
S -->|implement in prod| SH
PT -->|scanning tools| V
## Quick start
### Prerequisites
- Node.js 20+
- npm 10+
### Install
git clone https://github.com/daker52/nextjs-app-router-security-lab.git
cd nextjs-app-router-security-lab
npm install
### Run a module
# Vulnerable variant (learn the bug)
npm run dev:module -- 01-server-action-no-auth vulnerable
# http://localhost:3001
# Secure variant (see the fix)
npm run dev:module -- 01-server-action-no-auth secure
# http://localhost:3011
### Docker (optional)
docker compose up module01-vulnerable
# http://localhost:3001
### Build all apps (CI does this)
npm run build:modules
## Modules (MVP)
| # | Module | CWE focus | Vuln port | Secure port |
|---|--------|-----------|-----------|-------------|
| 01 | [server-action-no-auth](./modules/01-server-action-no-auth/) | Missing authorization | 3001 | 3011 |
| 02 | [server-action-no-zod](./modules/02-server-action-no-zod/) | Improper input validation | 3002 | 3012 |
| 03 | [idor-server-action](./modules/03-idor-server-action/) | IDOR | 3003 | 3013 |
| 05 | [secret-in-client-bundle](./modules/05-secret-in-client-bundle/) | Sensitive data exposure | 3005 | 3015 |
| 06 | [weak-middleware-matcher](./modules/06-weak-middleware-matcher/) | Missing authentication | 3006 | 3016 |
Each module directory contains:
modules/XX-name/
├── README.md # Threat model, exploit steps, remediation
├── vulnerable/ # Broken Next.js mini-app
└── secure/ # Patched version
## Learning path
1. Read [docs/METHODOLOGY.md](./docs/METHODOLOGY.md)
2. Complete modules **01 → 02 → 03 → 05 → 06**
3. Map findings to [docs/TOOL-MAPPING.md](./docs/TOOL-MAPPING.md)
4. Apply fixes using [Next.js Security Shield](https://github.com/daker52/Next.js---Security-shield-list-help)
## Coming soon
Modules **04, 07–10** (CSRF, open redirect, mass assignment, rate limits, Auth.js misconfig) are tracked in [ROADMAP.md](./ROADMAP.md). Want to contribute? Use the [module request template](./.github/ISSUE_TEMPLATE/module-request.yml).
## Repository structure
nextjs-app-router-security-lab/
├── modules/ # 5 MVP lessons (vulnerable + secure)
├── docs/ # Methodology, legal, tool mapping
├── scripts/ # dev-module, build-all
├── docker-compose.yml
└── .github/workflows/ci.yml
## Maintainer
**OndHa** — [@daker52](https://github.com/daker52) · [wwwkkcode.cz](https://wwwkkcode.cz)
## License
MIT — see [LICENSE](./LICENSE). Individual tools referenced in [TOOL-MAPPING.md](./docs/TOOL-MAPPING.md) have their own licenses.
标签:自动化攻击