Merge pull request #3888 from DhiyaneshGeek/master

Additional Paths Added
2022-03-14 20:56:22 +05:30 · 2022-03-14 20:56:22 +05:30 · 2877624443
parent 5fea3638db 8301e80261
commit 2877624443
3 changed files with 36 additions and 7 deletions
--- a/misconfiguration/aem/aem-default-get-servlet.yaml
+++ b/misconfiguration/aem/aem-default-get-servlet.yaml
@ -3,13 +3,24 @@ info:
  author: DhiyaneshDk
  name: AEM DefaultGetServlet
  severity: low
-  reference: https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
-  tags: aem
+  description: Sensitive information might be exposed via AEM DefaultGetServlet.
+  reference:
+    - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
+    - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
+  tags: aem,adobe


 requests:
  - method: GET
    path:
+      - '{{BaseURL}}/etc'
+      - '{{BaseURL}}/var'
+      - '{{BaseURL}}/apps'
+      - '{{BaseURL}}/home'
+      - '{{BaseURL}}///etc'
+      - '{{BaseURL}}///var'
+      - '{{BaseURL}}///apps'
+      - '{{BaseURL}}///home'
      - '{{BaseURL}}/.json'
      - '{{BaseURL}}/.1.json'
      - '{{BaseURL}}/....4.2.1....json'
--- a/misconfiguration/aem/aem-login-status.yaml
+++ b/misconfiguration/aem/aem-login-status.yaml
@ -4,15 +4,21 @@ info:
  author: DhiyaneshDk
  name: AEM Login Status
  severity: info
-  reference: https://www.slideshare.net/0ang3el/hunting-for-security-bugs-in-aem-webapps-129262212
-  tags: aem
+  description: LoginStatusServlet is exposed, it allows to bruteforce credentials.
+  reference:
+    - https://www.slideshare.net/0ang3el/hunting-for-security-bugs-in-aem-webapps-129262212
+    - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/LoginStatusServletExposed.java
+  tags: aem,adobe


 requests:
  - method: GET
    path:
+      - '{{BaseURL}}/system/sling/loginstatus'
      - '{{BaseURL}}/system/sling/loginstatus.css'
+      - '{{BaseURL}}///system///sling///loginstatus'

+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status
@ -21,4 +27,4 @@ requests:

      - type: word
        words:
-          - 'CREDENTIAL_CHALLENGE'
+          - 'CREDENTIAL_CHALLENGE'
--- a/misconfiguration/aem/aem-querybuilder-json-servlet.yaml
+++ b/misconfiguration/aem/aem-querybuilder-json-servlet.yaml
@ -4,14 +4,26 @@ info:
  author: DhiyaneshDk
  name: AEM QueryBuilder Json Servlet
  severity: info
-  reference: https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
-  tags: aem
+  description: Sensitive information might be exposed via AEMs QueryBuilderServlet or QueryBuilderFeedServlet.
+  reference:
+    - https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html
+    - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java
+  tags: aem,adobe


 requests:
  - method: GET
    path:
      - '{{BaseURL}}/bin/querybuilder.json'
+      - '{{BaseURL}}/bin/querybuilder.json.servlet'
+      - '{{BaseURL}}///bin///querybuilder.json'
+      - '{{BaseURL}}///bin///querybuilder.json.servlet'
+      - '{{BaseURL}}/bin/querybuilder.feed'
+      - '{{BaseURL}}/bin/querybuilder.feed.servlet'
+      - '{{BaseURL}}///bin///querybuilder.feed'
+      - ' {{BaseURL}}///bin///querybuilder.feed.servlet'
+
+    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: status