Posts on b4y.dev - Binary dev

Next.js Middleware Authorization Bypass - CVE-2025-29927

Mon, 24 Mar 2025 00:00:00 +0000

A critical security vulnerability has been discovered in Next.js that enables attackers to bypass middleware-based authorization checks. This comprehensive guide analyzes the vulnerability, demonstrates testing methods, and provides remediation strategies.

Key Takeaways

Critical vulnerability affecting Next.js versions 11.1.4 through 15.2.3
Allows complete bypass of middleware-based security controls
Simple exploitation using a single HTTP header
Affects self-hosted Next.js applications using middleware
Official patches available for all affected versions

Technical Analysis

Understanding the Vulnerability

The vulnerability (CVE-2025-29927) exploits a design flaw in Next.js’s middleware processing system. At its core, the issue lies in how Next.js handles the x-middleware-subrequest header, which was originally designed for internal use to prevent recursive middleware execution.

Understanding and Writing Suricata IDS Rules

Mon, 24 Feb 2025 00:00:00 +0000

Suricata is a powerful open-source Intrusion Detection System (IDS) that helps monitor network traffic for suspicious activities. One of its key features is the ability to write custom rules to detect specific patterns or behaviors. In this post, we’ll explore how to write effective Suricata rules with practical examples.

Basic Rule Structure

A Suricata rule follows this basic structure:

action protocol source_ip source_port -> destination_ip destination_port (rule options)

Let’s break down each component:

Setup OpenVPN Server on Linux

Mon, 16 Sep 2024 00:00:00 +0000

OpenVPN is an open source SSL VPN solution.

OpenVPN server installation can be quite complicated. We’ll use a script which manage all installation and configuration step for you.

Installation

Download script and run it, it will ask you for some information:

UDP or TCP
Network port
DNS Servers
Client name

wget -O openvpn-install.sh
bash openvpn-install.sh

You can re-run script to generate new client configuration, revoke old client or uninstall OpenVPN server.

Code analysis with SonarQube

Mon, 02 Sep 2024 00:00:00 +0000

SonarQube is a tool to do static code analysis, also known as Static Application Security Testing (SAST).

It’s a great tool to find security and quality issues in your code.

Install SonarQube

To install SonarQube, we’ll use Docker and docker-compose.yml file.

Here a ready to use and updated docker-compose.yml file to install SonarQube with PostgreSQL database:

services:
 sonarqube:
 image: sonarqube:community
 hostname: sonarqube
 container_name: sonarqube
 read_only: true
 depends_on:
 db:
 condition: service_healthy
 environment:
 SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
 SONAR_JDBC_USERNAME: sonar
 SONAR_JDBC_PASSWORD: sonar
 volumes:
 - sonarqube_data:/opt/sonarqube/data
 - sonarqube_extensions:/opt/sonarqube/extensions
 - sonarqube_logs:/opt/sonarqube/logs
 - sonarqube_temp:/opt/sonarqube/temp
 ports:
 - "9000:9000"
 db:
 image: postgres:17
 healthcheck:
 test: ["CMD-SHELL", "pg_isready"]
 interval: 10s
 timeout: 5s
 retries: 5
 hostname: postgresql
 container_name: postgresql
 environment:
 POSTGRES_USER: sonar
 POSTGRES_PASSWORD: sonar
 POSTGRES_DB: sonar
 volumes:
 - postgresql:/var/lib/postgresql
 - postgresql_data:/var/lib/postgresql/data

volumes:
 sonarqube_data:
 sonarqube_temp:
 sonarqube_extensions:
 sonarqube_logs:
 postgresql:
 postgresql_data:

Start containers:

Install psql (PostgreSQL client) on MacOS

Mon, 22 Jul 2024 00:00:00 +0000

PostgreSQL is a database management system. psql is a command line tool to connect to PostgreSQL database.

Install psql

Install psql without PostgreSQL server with brew:

brew install libpq
brew link --force libpq

This will install Postgres client utilities like psql and pg_dump.

Setup OpenVPN server with Docker

Mon, 08 Jul 2024 00:00:00 +0000

OpenVPN is a tool to create a secure tunnel between your computer and a remote server.

This post show how to setup OpenVPN server with Docker.

Prerequisites

You need following tools installed on your server:

Docker
Git

Install and configure OpenVPN server

We’ll use this repository to setup OpenVPN server.

Docker image is available on Docker Hub, but to get latest version of dependencies, we’ll build it locally.

# Clone repository
git clone https://github.com/kylemanna/docker-openvpn.git
cd docker-openvpn

# Build image
docker build -t openvpn .

Once image is built, we are able to configure our openvpn server and run it.

Visualize IO disk usage with htop

Mon, 24 Jun 2024 00:00:00 +0000

htop is a terminal based process viewer, a useful tool to monitor system resources.

IO is a measure of the amount of data read (Input) from or written (Output) to a storage device.

By default, htop do not shows the amount of data read and written by processes.

Show IO with htop

Start htop as usual:

htop

To show IO disk usage, you need add Disk IO meters:

Open Setup with F2 key
Go to Meters category
Select Disk IO meters in available meters and validate with Enter key
Optionally, you can change the meters order with Up and Down keys

Save htop configuration

htop configuration is automatically saved in ~/.config/htop/htoprc file.

Pip, update all packages with one command

Mon, 10 Jun 2024 00:00:00 +0000

Pip is a package manager for Python. It’s a great tool to install and update packages. This post show how to update all packages with a one liner because the options os not offered by pip.

List all outdated packages

To list all outdated packages, you can use the following command:

pip list --outdated

Update all packages

To update all packages, you can use the following command:

pip list --outdated | awk -F ' ' 'NR>2{print$1}' | xargs pip install --upgrade

Bash aliases

You can create a bash alias to update all packages with one liner:

Windows 11 installation without Microsoft account

Mon, 27 May 2024 00:00:00 +0000

By default, Windows 11 installer ask for a Microsoft account, but for many context local account is a better choice.

Install Windows 11 with a local account

Start your Windows installation as intended. When installer ask you for your Microsoft account, disable this option with OOBE:

Use shift+f10 to open command line and execute OOBE\BYPASSNRO:

This will reboot your machine. Make sure to disconnect your network.

Linux, bypass root password from GRUB

Mon, 13 May 2024 00:00:00 +0000

The root or user password of a Linux machine can be bypassed thank to GRUB.

Following conditions are needed:

Grub isn’t password protected
Disk encryption isn’t enabled

It works on legacy BIOS and UEFI installation.

Boot Linux without password

Power on your machine. When grub is ready, select your Linux OS entry and edit it by typing on e.

On this GRUB configuration, search for the line starting with linux /boot/vmlinuz :