id: aem-default-get-servlet

info:
  name: AEM DefaultGetServlet
  author: DhiyaneshDk
  severity: low
  description: Sensitive information might be exposed via AEM DefaultGetServlet.
  reference:
    - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps?slide=43
    - https://github.com/thomashartm/burp-aem-scanner/blob/master/src/main/java/burp/actions/dispatcher/GetServletExposed.java
  metadata:
    max-request: 64
    shodan-query: http.component:"Adobe Experience Manager"
  tags: aem,adobe,misconfig

http:
  - method: GET
    path:
      - '{{BaseURL}}/etc'
      - '{{BaseURL}}/var'
      - '{{BaseURL}}/apps'
      - '{{BaseURL}}/home'
      - '{{BaseURL}}///etc'
      - '{{BaseURL}}///var'
      - '{{BaseURL}}///apps'
      - '{{BaseURL}}///home'
      - '{{BaseURL}}/.json'
      - '{{BaseURL}}/.1.json'
      - '{{BaseURL}}/....4.2.1....json'
      - '{{BaseURL}}/.json?FNZ.css'
      - '{{BaseURL}}/.json?FNZ.ico'
      - '{{BaseURL}}/.json?FNZ.html'
      - '{{BaseURL}}/.json/FNZ.css'
      - '{{BaseURL}}/.json/FNZ.html'
      - '{{BaseURL}}/.json/FNZ.png'
      - '{{BaseURL}}/.json/FNZ.ico'
      - '{{BaseURL}}/.children.1.json'
      - '{{BaseURL}}/.children....4.2.1....json'
      - '{{BaseURL}}/.children.json?FNZ.css'
      - '{{BaseURL}}/.children.json?FNZ.ico'
      - '{{BaseURL}}/.children.json?FNZ.html'
      - '{{BaseURL}}/.children.json/FNZ.css'
      - '{{BaseURL}}/.children.json/FNZ.html'
      - '{{BaseURL}}/.children.json/FNZ.png'
      - '{{BaseURL}}/.children.json/FNZ.ico'
      - '{{BaseURL}}/etc.json'
      - '{{BaseURL}}/etc.1.json'
      - '{{BaseURL}}/etc....4.2.1....json'
      - '{{BaseURL}}/etc.json?FNZ.css'
      - '{{BaseURL}}/etc.json?FNZ.ico'
      - '{{BaseURL}}/etc.json?FNZ.html'
      - '{{BaseURL}}/etc.json/FNZ.css'
      - '{{BaseURL}}/etc.json/FNZ.html'
      - '{{BaseURL}}/etc.json/FNZ.ico'
      - '{{BaseURL}}/etc.children.json'
      - '{{BaseURL}}/etc.children.1.json'
      - '{{BaseURL}}/etc.children....4.2.1....json'
      - '{{BaseURL}}/etc.children.json?FNZ.css'
      - '{{BaseURL}}/etc.children.json?FNZ.ico'
      - '{{BaseURL}}/etc.children.json?FNZ.html'
      - '{{BaseURL}}/etc.children.json/FNZ.css'
      - '{{BaseURL}}/etc.children.json/FNZ.html'
      - '{{BaseURL}}/etc.children.json/FNZ.png'
      - '{{BaseURL}}/etc.children.json/FNZ.ico'
      - '{{BaseURL}}///etc.json'
      - '{{BaseURL}}///etc.1.json'
      - '{{BaseURL}}///etc....4.2.1....json'
      - '{{BaseURL}}///etc.json?FNZ.css'
      - '{{BaseURL}}///etc.json?FNZ.ico'
      - '{{BaseURL}}///etc.json/FNZ.html'
      - '{{BaseURL}}///etc.json/FNZ.png'
      - '{{BaseURL}}///etc.json/FNZ.ico'
      - '{{BaseURL}}///etc.children.json'
      - '{{BaseURL}}///etc.children.1.json'
      - '{{BaseURL}}///etc.children....4.2.1....json'
      - '{{BaseURL}}///etc.children.json?FNZ.css'
      - '{{BaseURL}}///etc.children.json?FNZ.ico'
      - '{{BaseURL}}///etc.children.json?FNZ.html'
      - '{{BaseURL}}///etc.children.json/FNZ.css'
      - '{{BaseURL}}///etc.children.json/FNZ.html'
      - '{{BaseURL}}///etc.children.json/FNZ.png'
      - '{{BaseURL}}///etc.children.json/FNZ.ico'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - 'jcr:createdBy'
        condition: and

# digest: 4a0a00473045022100e488c473b0ca04235cac72efdb586f80e8fc7ed6b9c887639b0655f9cc0fe1dd0220255b32fb575b48097750c878a707ac400fab98127da302708288f8e36e926a9e:922c64590222798bb761d5b6d8e72950