πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Exploit Public-Facing Application

Attackers send crafted React Server Components Flight requests to public-facing endpoints (for example /_rsc) on vulnerable React/Next.js servers, gaining unauthenticated remote code execution.

Metadata

  • Severity: critical
  • Slug: exploit-public-facing-application

MITRE

  • T1190: Exploit Public-Facing Application
  • T1059.007: Command and Scripting Interpreter: JavaScript
  • T1059.001: Command and Scripting Interpreter: PowerShell
  • T1505.003: Server Software Component: Web Shell
  • T1552.001: Unsecured Credentials: Credentials In Files

Available Labs

Select a language to explore available labs for this vulnerability.

No matching labs found

Try adjusting your language filter.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.