AEM Hacking

AEM like most of the web applications can be subject to multiple vulnerabilities.

The most common vulnerabilities and attack vectors are summarized by the OWASP project.

To protect AEM from external attacks the most important place where blocking/ filtering rules should be implemented is the Dispatcher.

The dispatcher is all external visitor entry point where filters should be implemented.

Here are some detailed notes on securing dispatcher.

A good starting point is to use production ready mode for all production instances.

This mode disables most of the unsecure and unneeded components.

It is also important to be sure that the dispatcher security checklist has been implemented.

The checklist, for example, states that most of filters (selectors, query strings, etc…) should deny by default and only whitelist what is really needed.

While setting up the whitelisting be very careful on what you are exposing.

Consider to follow these rules of the thumb:

  • Always expose only what you really need, ie /content/yoursite rather than /content
  • Be careful exposing extensions and prefer to do only where make it sense, ie if you have images only in the dam consider to open image extentions only in /content/dam/your site rather that simply allow *.gif and similar everywhere.
  • The same thing about selectors and suffixes, but more strict. Allow selectors and suffix only where you need according to the architecture of your site.
  • The rule are validated serially, so pay attention to not reopen something you have closed before.

Finally, it is important to check for hotfixes and patches of serious vulnerabilities and apply or mitigate as soon as possible.

XSS prevention

XSS (cross site scripting) allows inclusion of untrusted data in the page.

In the past a large number of known AEM vulnerabilities ( CVE ) were of this type.

The XSS protection mechanism provided by AEM is based on the AntiSamy Java Library

Also using HTL can prevent XSS


Cross site request forgery can be prevented by using token.json.

public available  useful ‘hacking’ tools

These tools scan for known vulnerabilities, default users and passwords and other common possible misconfigurations.

Aem hacker

python3 scripts , requires port 443 reachable on internet from scanning IP

source https://github.com/0ang3el/aem-hacker



another   python 2  tool

source https://github.com/Raz0r/aemscan 

./aemscan https://mydomain.com


Written by Andrea Berger and Alessandro Paolinelli

You Might Also Like

No Comments

    Leave a Reply