December 19, 2025

An RSC Parser Because React Decided Wire Protocols Were Fun

A Burp extension for when your response tab looks like spaghetti (React's Flight protocol)

Remember when server responses were just JSON? Such simple times. Now we have React Server Components shipping serialized component trees over the “Flight” wire protocol, and your Burp tabs are giving you what looks like a cat walked across a keyboard.

If you’re testing Next.js apps (or the smaller base of Waku, Shopify Hydrogen, and RedwoodJS users), you’ve seen text/x-component responses. You’ve squinted at them, extracted a JWT manually, and wondered what you were doing with your life. This extension helps with your squinting.

What It Does

The RSC Parser extension deserializes Flight protocol responses and surfaces the bits you care about:

  • Route parameters — The /users/:userId/settings stuff. Of IDOR interest.
  • Sensitive values — JWTs, API keys, tokens. Detected by format, so that x7_temp_val field hiding a JWT is highlighted
  • Entity arrays — Those 25-record user lists that probably shouldn’t include everyone’s phone number.
  • Server actions — The $F references pointing to RPC endpoints begging for auth bypass testing.
  • Text content — Where internal details hide in plain sight

Installation

Jython. Yes, still. Set your Python environment in Extender > Options, then load nextjs-rsc-parser.py. You’ve done this before.

Interface

Four tabs when viewing RSC responses: Parsed (human-readable), Tree (hierarchical), JSON (raw), and Security (quick summary extract based on keywords).

Right-click gives you chunk URL extraction, component analysis, and export options. Standard Burp ergonomics.

Practical Applications

Route params with UUIDs or sequential IDs are your first stop for access control testing. Server actions ($Fa, $Fb, etc.) are RPC endpoints. Fuzz them for missing auth checks. Entity arrays showing up with more records than your test user should see is authorization 101. URLs buried in text content occasionally reveal that environment someone forgot to lock down.

None of this is revolutionary methodology. The extension just stops you from parsing Flight protocol by hand, which is a poor use of time.

Final Thought

React’s architectural decisions have created a new attack surface that looks like gibberish to standard tooling. This extension makes it legible. Install it, add RSC endpoints to your enumeration workflow, and move on.

The framework authors will invent something new to parse by next quarter anyway.

Check it out at https://github.com/Adversis/nextjs-rsc-parser

Ready to make security your competitive advantage?

Schedule a call

Read more

How to Say ‘We Need More Security Budget’ Without Saying ‘We’re Currently Insecure’

Use a three-bucket framework to frame requests to get what you need and satisfy leadership

Building Secure Platforms: An open letter to software and OS vendors

Without increasing support for secure defaults by OS and software vendor, the breaches will continue.

Strategic CISO: Timing Your Security Assessment for Executive Impact

Whether you’re presenting to your board, executive leadership team, or quarterly business review, transform your penetration testing from a compliance checkbox to your strategic advantage.
A cybersecurity consultancy firm for technical leaders at SaaS companies
Montana Office
563 Ash Rd, Suite B
Kalispell, MT 59901
Pages
AboutResourcesServicesContactPrivacySecurityTrust
Resources
CyberPricesSaas HardeningBad PasswordsPrinciplesStartup Security Workbook
Stay in the know
Practical content, no fluff.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.