AEM Security - .json Extension

Avatar

Avatar

Brett_Birschba1

Avatar

Brett_Birschba1

Brett_Birschba1

30-07-2019

In AEM we generally block all `page.infinity.json` and `page.N.json` requests, as it allows content grabbing and reveals internal node structure including usernames or anything else that might be considered "internal". However, page.json requests (no selector) seem to also render their JSON contents, and this is a lot harder to block unless we generically block the .json extension, requiring all valid JSON URLs to be whitelisted.

Is there a way to safely block JSON rendering to close this vulnerability?  Or do we just have to accept that anyone can freely grab your internal node structure and private content such as usernames?  The idea of blocking `.json` ubiquitously, opening up for only a whitelisted set of URLs is tempting to see as an easy solution, but that makes servlets based on resource types rather than static URLs infeasible.

NOTE: I understand that JSON rendering by sling can be turned off in "Apache Sling GET Servlet" in OSGi, but then that breaks other OOTB functionalities related to personalization where calls to `/home/users/X/XXXXXXXXX.infinity.json` based on the current user are used.

View Entire Topic

Avatar

Avatar

vipins5188

Avatar

vipins5188

vipins5188

01-08-2019

Hi Brett,

I gave pageinfo.json just for example purpose here, you can have any path from the request. Purpose here is to get control over that request and serve it to specific audience and and specific content/data.  Plus thiats sling filter with filter pattern value so it won't effect your default servlet things