[False Negative] Scanner fails on targets with Root Redirects (Next.js Middleware) #27
Description
Hi Team,
I've observed that the current scanner logic defaults to probing ["/"] when no path list is provided via arguments.
In many production Next.js App Router deployments, middleware.ts is configured to redirect root traffic (e.g., POST / -> 307 /login or 308 /dashboard).
The Problem
When the scanner sends the RSC payload to / and receives a 307/308 redirect, most HTTP clients (and intermediate proxies) will either drop the POST body or convert the method to GET for the subsequent request. Consequently, the malicious RSC payload never reaches the internal parser, resulting in a False Negative on vulnerable targets.
Proposed Solution
Next.js architecture mandates that the "Not Found" (404) handler must be a Server Component to render the error page. By forcing a 404 on a random path (e.g., POST /x7z9q2), we can bypass root middleware/redirects and force the RSC parser to process the payload in-place.
I have prepared a PR implementing a hybrid probing strategy (testing both / and /{random}) to resolve this.
Regards