Back
EasyWeb Security
Overview
This application appears straightforward, but one endpoint is consistently blocked by server-side request handling logic. Direct access is denied without explanation, suggesting that access control happens before the request reaches the route itself. With no source code available, the only way forward is to study how the framework processes incoming requests and decides whether they should continue. Careful manipulation of the request flow may reveal that the protection layer is not as strict as it appears.
Lab Details
Prerequisites & Requirements
- Basic understanding of web applications
- Familiarity with HTTP requests and responses
- Knowledge of Next.js framework concepts
- Experience with proxy tools like Burp Suite
- Understanding of middleware concepts
What will you learn?
- How to identify Next.js applications and their versions
- Understanding of CVE-2025-29927 middleware bypass vulnerability
- Techniques for bypassing authentication/authorization middleware
- How to analyze black-box web applications
- The importance of keeping frameworks up to date
Tools
- Burp Suite (or any HTTP intercepting proxy)
- Wappalyzer browser extension
- Web browser
Job Positions
Ethical Hacker
Tags
Broken Access ControlHttp HeadersJavascript