Server Actions Hackable
Answered
The King posted this in #help-forum
The KingOP
Im pretty new to nextjs, but my friend hacked my site using just my server actions and I don't have an api.
How do I fix this?
import requests
import random
import string
def genemail():
username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
email = f"{username}@gmail.com"
return email
def genusername():
username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
return username
def main():
email = genemail()
username = genusername()
payload = [username, email, 'password123']
headers = {
"next-action": "ec299efcc2a6444d7c3b226025ee031f7a24832f",
}
response = requests.post("Url Here", headers=headers, json=payload)
if "200" in response.text:
print(f"Account succesfully created using email:{email} and username:{username}")
else:
print("Failed to create account")
main()How do I fix this?
Answered by joulev
server actions are just another form of api routes, so this is just equivalent to a script sending a request to this api route. server actions are just http requests behind the scenes and http requests are not required to be made from the sign up form frontend
2 Replies
@The King Im pretty new to nextjs, but my friend hacked my site using just my server actions and I don't have an api.
import requests
import random
import string
def genemail():
username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
email = f"{username}@gmail.com"
return email
def genusername():
username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
return username
def main():
email = genemail()
username = genusername()
payload = [username, email, 'password123']
headers = {
"next-action": "ec299efcc2a6444d7c3b226025ee031f7a24832f",
}
response = requests.post("Url Here", headers=headers, json=payload)
if "200" in response.text:
print(f"Account succesfully created using email:{email} and username:{username}")
else:
print("Failed to create account")
main()
How do I fix this?
this is not hacking. they simply sent the same http request that your sign up form sends. nothing crazy here and your system is not compromised.
server actions are just another form of api routes, so this is just equivalent to a script sending a request to this api route. server actions are just http requests behind the scenes and http requests are not required to be made from the sign up form frontend
Answer