SOLVED
AEM - How can we prevent blind XPath injection in an AEM Page??
1 Accepted Solution
Correct answer by
Hi @maryani
I am not 100% sure but by design XPATH and other SQL injection are prevented
https://jackrabbit.apache.org/archive/wiki/JCR/EncodingAndEscaping_115513396.html
https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-20135.html?lang=en
Arun Patidar
Correct answer by
Hi @maryani
I am not 100% sure but by design XPATH and other SQL injection are prevented
https://jackrabbit.apache.org/archive/wiki/JCR/EncodingAndEscaping_115513396.html
https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-20135.html?lang=en
Arun Patidar
If it’s a publisher you can bock all the suffix from dispatcher by adding rule in filter section
# Block use of all suffixes on any resource in /content
/0160 { /type "deny" /url "/content*" /suffix "*" }
# Suffix patterns which are needed on the server side can be added in an allow list manner
/0161 { /type "allow" /url "/content/we-retail/us/en/equipment/*" /suffix "/content/we-retail/*" /method "GET" }
Rule 0160 is for blocking the suffix request from by passing the dispatcher and hitting your aem publisher
