Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Honeypot implementation for AEM forms

Avatar

Level 2

Hi,

 

From a few days now, I am trying to understand how honeypot can be implemented on AEM forms. We have a requirement to implement honeypot feature on AEM forms, but I could not find any documentation around this in the experience league. Given the volume of the sites and forms being one of the widely used component on the sites, we do not want to take the re-captcha route rather have something like honeypot implemented to make user experience better. What is the best way to bring up security/spam prevention checks on AEM forms.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

@veenakt28 

In addition to the security hardening guide shared earlier and steps shared by Mayank, you can enable protection against Cross-Site Scripting (XSS) on the page/form by following this security guide[0]. 

All these steps will ensure protection against any vulnerabilities when the form is integrated with a 3rd party system for inbound or outbound communication.

 

 

[0] - https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?... 

View solution in original post

3 Replies

Avatar

Employee Advisor

@veenakt28 

Probably AEM Form is not tested with the honeypot technique thus there is no official documentation for the same but there are multiple other ways to secure AEM Forms on the OSGi server, more details[0].

You can reach out to us via a support ticket in case you find any security prevention checks missing in the official document. 

 

[0] - https://experienceleague.adobe.com/docs/experience-manager-64/forms/manage-administer-aem-forms/hard... 

Avatar

Level 2

Hi Pulkit,

Thank you for getting back soon, in my case the forms we have are customized (it is a custom component), these are not taken from the AEM forms, in this case how do we secure form submission. 

Avatar

Employee Advisor

@veenakt28 

Do you mean to say that you have used OOTB site components to create custom form components and then created a form or embedded the same in a page?

If there are no AF components being used then you can reach out to AEM site experts here for more insights- https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/ct-p/adobe-experience-mana... 

If you've created custom components using OOTB AEM Forms components then please elaborate further- what is the use case? What type of form submission you're referring to?

Avatar

Level 2

Hi Pulkit,

The forms we have is a form container component, which consists of multiple fields (components) which can be configured within this form container, all of this is built using core components, the service pack we are using is 6.4.8
To give an eg. having configured the form container component, you will then have options to add remove the fields you need on the form like email ID, name, age, country of residence, demographic questions etc. Basically you can create the form with the fields you require for a site. This form submission data is then passed to a 3rd party system to store the data. We are also getting some of the form field data from the 3rd party integrated system. How do I implement security check/spam prevention checks on such a form.

Avatar

Level 10

@veenakt28 I assume the form is open to everyone, then you can play around with cookies, and check for the typical no. of form submission from a particular IP, Implement captcha, make sure you are not logging any PII in the logs, Implement SSL(preferably mutual auth for service). Obfuscate the PII on the form itself. You can have server-side scripts to validate any invalid input further. 

Avatar

Correct answer by
Employee Advisor

@veenakt28 

In addition to the security hardening guide shared earlier and steps shared by Mayank, you can enable protection against Cross-Site Scripting (XSS) on the page/form by following this security guide[0]. 

All these steps will ensure protection against any vulnerabilities when the form is integrated with a 3rd party system for inbound or outbound communication.

 

 

[0] - https://experienceleague.adobe.com/docs/experience-manager-64/developing/introduction/security.html?... 

Avatar

Level 2

Hi @Pulkit_Jain_ @Mayank_Gandhi 

Thank you for the suggestions, the suggestions provided below are more leaning towards implementing a custom validation on the client/server side to secure the forms, if my requirement is to build a honeypot feature,

how do I implement a honeypot feature for AEM custom forms?

Is it possible to have a honeypot kind of implementation on AEM forms?

If yes, then how do we implement this?

If not what is the recommendation ?

Any suggestions on this, will be really helpful.

Avatar

Level 10

@veenakt28 Please understand that AEM forms are to capture data and the network level custom implementation to gauge any attack is not within the scope of forms but infra hardening. You should work internally with the infra team and the check scope of web development to understand the strategy that you may want to apply in the DMZ for this. Not something specific from the product side on this.