AMSSEC INSPEC tool dispatcher rule checker

teamu33465496 08-04-2019

AMS has run a inspection on our dispatcher and asked us to block the below paths:

should NOT respond to GET /bin/querybuilder.feed.css with 200

should NOT respond to GET /bin/querybuilder.json.servlet;%0aa.css with 200

should NOT respond to GET /crx/de/index.jsp;%0aa.css with 200

should NOT respond to GET /crx/explorer/index.jsp;%0aa.css with 200

for that to be implemented I have written the dispatcher rules as below and run the test again

{ /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

{ /type "deny" /url "/crx/de/index.jsp" /extension '(css)'}

{ /type "deny" /url "/crx/explorer/index.jsp" /extension '(css)'}

but it does not seem to fix the issue, can someone suggest me, where I am going wrong.

Accepted Solutions (1)

Accepted Solutions (1)

gauravb41175071
MVP
18-04-2019

/0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

in your dispatcher.any  works for me to block '/bin/querybuilder.feed.css'

Answers (7)

Answers (7)

Jörg_Hoh
Employee
23-04-2019

These are very specific URLs, which should be covered already by the list provided as part of the security checklist. So from my point of view it does not make very much sense to block these specifically, but to check if the checklist is active at all.

    # open consoles

  #    /0012 { /type "allow" /glob "* /crx/*"    }  # allow content repository

  #    /0013 { /type "allow" /glob "* /system/*" }  # allow OSGi console

 

    # allow non-public content directories

  #    /0021 { /type "allow" /glob "* /apps/*"   }  # allow apps access

  #    /0022 { /type "allow" /glob "* /bin/*"    }

should block all requests to /bin/* and /crx/* (which is a superset of the URLs mentioned). Can you check if you can access CRX DE Lite through the dispatcher (you shouldn't)?

Jörg

teamu33465496 17-04-2019

Seems like /crx/explorer/index.jsp;%0aa.css is blocked. But /bin/querybuilder.feed.css is not blocked. Can I get ideas on how to implement this?

teamu33465496 17-04-2019

Using the below configs, I was able to block /crx/de/index.jsp;%0aa.css and /bin/querybuilder.json.servlet;%0aa.css

{ /type "deny" /url"/crx/*.css"}

{ /type "deny" /url "/bin/querybuilder*.css"}

But I am not able to block /crx/explorer/index.jsp;%0aa.css and /bin/querybuilder.feed.css

So for blocking the above paths/URL's, Can this configs be used?

{ /type "deny" /url "/bin/querybuilder*.*.css" }

{ /type "deny" /url "/crx/explorer/*.css" }

gauravb41175071
MVP
08-04-2019

you missed ";0a" in your config

try these -

{ /type "deny" /path"/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

{ /type "deny" /path"/crx/*" /extension '(css)'}

or

{ /type "deny" /url"/crx/*.css"}

{ /type "deny" /url "/bin/querybuilder*.css"}

teamu33465496 08-04-2019

Here is our config file.

  # only handle the requests in the following acl. default is 'none'

  # the glob pattern is matched against the first request line

  /filter

    {

    # deny everything and allow specific entries

    /0001 { /type "deny"  /glob "*" }

 

    # open consoles

  #    /0012 { /type "allow" /glob "* /crx/*"    }  # allow content repository

  #    /0013 { /type "allow" /glob "* /system/*" }  # allow OSGi console

 

    # allow non-public content directories

  #    /0021 { /type "allow" /glob "* /apps/*"   }  # allow apps access

  #    /0022 { /type "allow" /glob "* /bin/*"    }

    /0023 { /type "allow" /glob "* /content*" }  # disable this rule to allow mapped content only

    /0024 { /type "deny" /glob "* /content/boost*" }  #block boost on sprint.com

  #    /0024 { /type "allow" /glob "* /libs/*"   }

  #    /0025 { /type "deny"  /glob "* /libs/shindig/proxy*" } # if you enable /libs close access to proxy

  #    /0026 { /type "allow" /glob "* /home/*"   }

  #    /0027 { /type "allow" /glob "* /tmp/*"    }

  #    /0028 { /type "allow" /glob "* /var/*"    }

    # enable specific mime types in non-public content directories

    /0041 { /type "allow" /glob "* *.css *"   }  # enable css

    /0042 { /type "allow" /glob "* *.gif *"   }  # enable gifs

    /0043 { /type "allow" /glob "* *.ico *"   }  # enable icos

    /0044 { /type "allow" /glob "* *.js *"    }  # enable javascript

    /0045 { /type "allow" /glob "* *.png *"   }  # enable png

    /0046 { /type "allow" /glob "* *.swf *"   }  # enable flash

    /0047 { /type "allow" /glob "* *.svg *"   }  # enable SVG

    /0048 { /type "allow" /glob "* *.woff *"  }  # enable woff

    /0049 { /type "allow" /glob "* *.ttf *"   }  # enable ttf

    /0050 { /type "allow" /glob "* *.eot *"   }  # enable eot

    /0051 { /type "allow" /glob "* *.jpg *"   }  # enable jpg

    /0052 { /type "allow" /glob "* *.woff2 *"  }  # enable woff2

    /0053 { /type "allow" /glob "* *.map *"  }  # enable source maps

    # enable features

    /0061 { /type "allow" /glob "POST /content/[.]*.form.html" }  # allow POSTs to form selectors under content

    /0062 { /type "allow" /glob "* /libs/cq/personalization/*" }  # enable personalization

    /0063 { /type "allow" /glob "POST /content/[.]*.commerce.cart.json" }  # allow POSTs to update the shopping cart

    # deny content grabbing

    /0081 { /type "deny"  /glob "GET *.infinity.json*" }

    /0082 { /type "deny"  /glob "GET *.tidy.json*"     }

    /0083 { /type "deny"  /glob "GET *.sysview.xml*"   }

    /0084 { /type "deny"  /glob "GET *.docview.json*"  }

    /0085 { /type "deny"  /glob "GET *.docview.xml*"   }

    /0086 { /type "deny"  /glob "GET *.*[0-9].json*"   }

    /0087 { /type "deny"  /glob "GET *.feed.xml*"      }

  #    /0088 { /type "allow" /glob "GET *.1.json*"        }  # allow one-level json requests

    # deny query

    /0090 { /type "deny"  /glob "* *.query.json*" }

  #Elham's changes

    /0091 { /type "deny"  /glob "GET /content.pages.json*"      }

    /0092 { /type "deny"  /glob "GET /content.languages.json*"      }

    /0093 { /type "deny"  /glob "GET /content.blueprint.json*"      }

    /0094 { /type "deny"  /glob "GET /content.feed.html*"      }

  # allow new data servlet - must appear after the deny content grabbing rule, as selectors may end with a digit.

    /0100 { /type "allow" /glob "GET /etc/devices.*.json*"    }

    /0101 { /type "allow" /glob "GET /etc/accessories.*.json*"    }

    /0102 { /type "allow" /glob "GET /etc/services.*.json*"    }

    /0103 { /type "allow" /glob "GET /etc/plans.*.json*"    }

    /0104 { /type "allow" /glob "GET /etc/tagexplorer.*.json*"    }

    /0105 { /type "allow" /glob "GET /etc/promos.*.json*"    }

    /0106 { /type "allow" /glob "GET /etc/support.*.json*"    }

    /0107 { /type "allow" /glob "GET /etc/knowledge.*.json*"    }

    /0108 { /type "allow" /glob "GET /etc/appcontent.*.json*"    }

    /0109 { /type "allow" /glob "GET /etc/appcontent.*.strings*"    }

    /0110 { /type "allow" /glob "GET /etc/appcontent.*.xml*"    }

    /0111 { /type "allow" /glob "GET /etc/appcontent.*.jsonp*"    }

    /0112 { /type "allow" /glob "GET /etc/appcontent.*.txt*"    }

    /0113 { /type "allow" /glob "GET /etc/adminpage.*.json*"    }

    /0114 { /type "allow" /glob "GET /etc/devices.*.shtml*"    }

  # Implementing the below rules as per the AMSSEC recommendations

    /0120 { /type "deny" /path "/bin/querybuilder*" /selectors '(feed|servlet|json)' /extension '(css)'}

    /0121 { /type "deny" /url "/crx/de/index.jsp" /extension '(css)'}

    /0122 { /type "deny" /url "/crx/explorer/index.jsp" /extension '(css)'}

 

    # allow rsrc under /rsrc/

    /0130 { /type "allow" /glob "* /rsrc/*" }

    }

  # allow propagation of replication posts (should seldomly be used)

  /propagateSyndPost "0"

  # the cache is used to store requests from the renders for faster delivery

  # for a second time.

  /cache

    {

    # the cacheroot must be equal to the document root of the webserver

    /docroot "/mnt/var/www/html"

    # sets the level upto which files named ".stat" will be created in the

    # document root of the webserver. when an activation request for some

    # handle is received, only files within the same subtree are affected

    # by the invalidation.

    /statfileslevel "2"

 

    # caches also authorized data

    /allowAuthorized "0"

    # the rules define, which pages should be cached. please note that

    # - only GET requests are cached

    # - only requests with an extension are cached

    # - only requests without query parameters ( ? ) are cached

    # - only unauthorized pages are cached unless allowUnauthorized is set to 1

    /rules

    {

    /0000

      {

      # the globbing pattern to be compared against the url

      # example: *             -> everything

      #        : /foo/bar.*    -> only the /foo/bar documents

      #        : /foo/bar/*    -> all pages below /foo/bar

      #        : /foo/bar[./]* -> all pages below and /foo/bar itself

      #        : *.html        -> all .html files

      /glob "*"

      /type "allow"

      }

    #Prevent dispatcher caching of servlet output

    /0001 { /type deny  /glob "/etc/plans*.json*" }

    /0002 { /type deny  /glob "/etc/devices*.json*" }

    /0003 { /type deny  /glob "/etc/accessories*.json*" }

    /0004 { /type deny  /glob "/etc/tagexplorer*.json*" }

    /0005 { /type deny  /glob "/etc/services*.json*" }

    /0006 { /type deny  /glob "/etc/promos*.json*" }

    /0007 { /type deny  /glob "/etc/support*.json*" }

    /0008 { /type deny  /glob "/etc/knowledge*.json*" }

    /0009 { /type deny  /glob "/etc/appcontent.*.json" }

    /0010 { /type deny  /glob "/etc/appcontent.*.strings" }

    /0011 { /type deny  /glob "/etc/appcontent.*.xml" }

    /0012 { /type deny  /glob "/etc/appcontent.*.jsonp" }

    /0013 { /type deny  /glob "/etc/appcontent.*.txt" }

    /0014 { /type deny  /glob "/etc/adminpage.*.json" }

    /0025 { /type deny  /glob "/etc/devices.productSupport.*" }

    /0026 { /type deny  /glob "/rsrc/sprint/sellabledevices/*" }

    }

          /ignoreUrlParams

                {

                  /0001 { /type allow /glob "*" }

                }

    # the invalidate section defines those pages which are 'invalidated' after

    # any activation. please note that, the activated page itself and all

    # related documents are flushed on an modification. for example: if the

    # page /foo/bar is activated, all /foo/bar.* files are removed from the

    # cache.

    /invalidate

    {

    /0000

      {

      /glob "*"

      /type "deny"

      }

    /0001

      {

      /glob "*.html"

      /type "allow"

      }

    }

    /allowedClients

    {

    /0000

      {

      /glob "*.*.*.*"

      /type "deny"

      }

    $include "publish-invalidate-allowed.any"

    }

  # A grace period defines the number of seconds a stale, auto-invalidated

  # resource may still be served from the cache after the last activation

  # occurring. Auto-invalidated resources are invalidated by any activation,

  # when their path matches the /invalidate section above. This setting

  # can be used in a setup, where a batch of activations would otherwise

  # repeatedly invalidate the entire cache.

  #

  /gracePeriod "2"

    }

  # the statistics define, how the load should be balanced among the renders

  # according to the media-type.

  /statistics

    {

    /categories

    {

    /html

      {

      /glob "*.html"

      }

    /others

      {

      /glob "*"

      }

    }

    }

  }

gauravb41175071
MVP
08-04-2019

If you've glob allow * then check the order of "allow" and "deny" for specific urls.

please share your config, if that doesn't work.

Hi,

        I am seeing the following errors in my dispatchers. Any ideas how to fix them? These were run by INSPEC tool.

 

###################################################################
Below ERRORs are regarding svfv1_filters.any:

ERROR: / getting a 200. Relevant log entries:

ERROR: /_jcr_system/_jcr_versionStorage.json getting a 200. Relevant log entries:

ERROR: /admin getting a 200. Relevant log entries:

ERROR: /api.json getting a 200. Relevant log entries:

ERROR: /apps.xml getting a 200. Relevant log entries:

ERROR: /apps/ams/config/org.apache.felix.http.sslfilter.SslFilter getting a 200. Relevant log entries:

ERROR: /apps/ams/healthcheck/config.author/org.apache.sling.engine.impl.auth.SlingAuthenticator.config getting a 200. Relevant log entries:

ERROR: /apps/ams/healthcheck/config.publish/org.apache.sling.engine.impl.auth.SlingAuthenticator.config getting a 200. Relevant log entries:

ERROR: /apps/ams/install/dispatcher-filter-test-endpoint.core-0.0.2.jar getting a 200. Relevant log entries:

ERROR: /apps/sling/config/org.apache.felix.webconsole.internal.servlet.OsgiManager.config/jcr%3acontent/jcr%3adata getting a 200. Relevant log entries:

ERROR: /bin/crxde/logs getting a 200. Relevant log entries:

ERROR: /bin/querybuilder.feed.css getting a 200. Relevant log entries:

ERROR: /bin/querybuilder.json getting a 200. Relevant log entries:

ERROR: /bin/querybuilder.json.servlet;%0aa.css getting a 200. Relevant log entries:

ERROR: /bin/groovyconsole/audit.servlet getting a 200. Relevant log entries:

ERROR: /bin/groovyconsole/audit.servlet.css getting a 200. Relevant log entries:

ERROR: /bin/groovyconsole/audit.servlet;%0aa.css getting a 200. Relevant log entries:

ERROR: /bin/groovyconsole/post.servlet getting a 200. Relevant log entries:

ERROR: /bin/groovyconsole/post.servlet.css getting a 200. Relevant log entries:

ERROR: /bin/groovyconsole/post.servlet;%0aa.css getting a 200. Relevant log entries:

ERROR: /content.-1.json getting a 200. Relevant log entries:

ERROR: /content.0.json getting a 200. Relevant log entries:

ERROR: /content.1.json getting a 200. Relevant log entries:

ERROR: /content.10.json getting a 200. Relevant log entries:

ERROR: /content.2.json getting a 200. Relevant log entries:

ERROR: /content.blueprint.json getting a 200. Relevant log entries:

ERROR: /content.docview.json getting a 200. Relevant log entries:

ERROR: /content.docview.xml getting a 200. Relevant log entries:

ERROR: /content.feed.html getting a 200. Relevant log entries:

ERROR: /content.feed.xml getting a 200. Relevant log entries:

ERROR: /content.infinity.json getting a 200. Relevant log entries:

ERROR: /content.languages.json getting a 200. Relevant log entries:

ERROR: /content.pages.json getting a 200. Relevant log entries:

ERROR: /content.rss.xml getting a 200. Relevant log entries:

ERROR: /content.s7publish.json getting a 200. Relevant log entries:

ERROR: /content.sysview.xml getting a 200. Relevant log entries:

ERROR: /content.tidy.-1.blubber.json getting a 200. Relevant log entries:

ERROR: /content.tidy.json getting a 200. Relevant log entries:

ERROR: /content/ getting a 200. Relevant log entries:

ERROR: /content/.-1.json getting a 200. Relevant log entries:

ERROR: /content/../libs/foundation/components/text/text.jsp getting a 200. Relevant log entries:

ERROR: /content/.10..json getting a 200. Relevant log entries:

ERROR: /content/.10.json getting a 200. Relevant log entries:

ERROR: /content/.blueprint.conf getting a 200. Relevant log entries:

ERROR: /content/.blueprint.json getting a 200. Relevant log entries:

ERROR: /content/.childrenlist.json getting a 200. Relevant log entries:

ERROR: /content/.infinity..json getting a 200. Relevant log entries:

ERROR: /content/.infinity.json getting a 200. Relevant log entries:

ERROR: /content/.languages.json getting a 200. Relevant log entries:

ERROR: /content/.media.json getting a 200. Relevant log entries:

ERROR: /content/.offline.doc getting a 200. Relevant log entries:

ERROR: /content/.offline.json getting a 200. Relevant log entries:

ERROR: /content/.search.json getting a 200. Relevant log entries:

ERROR: /content/.tidy.json getting a 200. Relevant log entries:

ERROR: /content/.version.json getting a 200. Relevant log entries:

ERROR: /content/add_valid_page.html?debug=layout getting a 200. Relevant log entries:

ERROR: /content/content/geometrixx.sitemap.txt getting a 200. Relevant log entries:

ERROR: /content/dam.tidy.-100.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en._jcr_content.feed getting a 200. Relevant log entries:

ERROR: /content/mypage/en.activity.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en.docview.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en.docview.xml getting a 200. Relevant log entries:

ERROR: /content/mypage/en.feed.html getting a 200. Relevant log entries:

ERROR: /content/mypage/en.feed.xml getting a 200. Relevant log entries:

ERROR: /content/mypage/en.html?debug=layout getting a 200. Relevant log entries:

ERROR: /content/mypage/en.mcmtree.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en.pages.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en.paragraphs.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en.qu%65ry.js%6Fn?statement=//* getting a 200. Relevant log entries:

ERROR: /content/mypage/en.query.json?statement=//* getting a 200. Relevant log entries:

ERROR: /content/mypage/en.query.json?statement=//*[@transportPassword]/(@transportPassword%20|%20@transporturi%20|%20@transportUser) getting a 200. Relevant log entries:

ERROR: /content/mypage/en.rss.xml getting a 200. Relevant log entries:

ERROR: /content/mypage/en.sysview.xml getting a 200. Relevant log entries:

ERROR: /content/mypage/en.tidy.-1.blubber.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en.views.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en/_jcr_content.feed getting a 200. Relevant log entries:

ERROR: /content/mypage/en/_jcr_content.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en/geometrixx.sitemap.txt getting a 200. Relevant log entries:

ERROR: /content/mypage/en/jcr getting a 200. Relevant log entries:

ERROR: /content/mypage/en/jcr getting a 200. Relevant log entries:

ERROR: /content/mypage/en/pagename._jcr_content.feed getting a 200. Relevant log entries:

ERROR: /content/mypage/en/pagename.docview.json getting a 200. Relevant log entries:

ERROR: /content/mypage/en/pagename.docview.xml getting a 200. Relevant log entries:

ERROR: /content/mypage/en/pagename.jcr getting a 200. Relevant log entries:

ERROR: /content/mypage/en/pagename.sysview.xml getting a 200. Relevant log entries:

ERROR: /content/screens.exportsearch.csv getting a 200. Relevant log entries:

ERROR: /content/usergenerated/mytestnode/ getting a 200. Relevant log entries:

ERROR: /crx getting a 200. Relevant log entries:

ERROR: /crx/de getting a 200. Relevant log entries:

ERROR: /crx/de/index.jsp getting a 200. Relevant log entries:

ERROR: /crx/de/index.jsp;%0aa.css getting a 200. Relevant log entries:

ERROR: /crx/explorer getting a 200. Relevant log entries:

ERROR: /crx/explorer/index.jsp getting a 200. Relevant log entries:

ERROR: /crx/explorer/index.jsp;%0aa.css getting a 200. Relevant log entries:

ERROR: /crx/packmgr getting a 200. Relevant log entries:

ERROR: /dav/crx.default getting a 200. Relevant log entries:

ERROR: /dispatcher/invalidate.cache getting a 200. Relevant log entries:

ERROR: /etc.xml getting a 200. Relevant log entries:

ERROR: /etc/ getting a 200. Relevant log entries:

ERROR: /etc/cloudservices.html getting a 200. Relevant log entries:

ERROR: /etc/importers/bulkeditor/export.tsv?query=path%3A%2Fcontent%2Fdam&tidy=true&cols=jcr%3Acontent%2Fsling%3AresourceType%2Cjcr%3Acontent%2Fjcr%3Atitle&separator=null getting a 200. Relevant log entries:

ERROR: /etc/linkchecker.html getting a 200. Relevant log entries:

ERROR: /etc/packages/adobe/ams/dispatcher-filter-test-endpoint.core-0.0.2.zip getting a 200. Relevant log entries:

ERROR: /etc/replication.html getting a 200. Relevant log entries:

ERROR: /etc/replication.infinity.xml getting a 200. Relevant log entries:

ERROR: /etc/replication.xml getting a 200. Relevant log entries:

ERROR: /home/groups/t/tag-administrators.permissions.json getting a 200. Relevant log entries:

ERROR: /home/users/a/admin/profile.json getting a 200. Relevant log entries:

ERROR: /home/users/a/admin/profile.xml getting a 200. Relevant log entries:

ERROR: /is/image getting a 200. Relevant log entries:

ERROR: /jcr getting a 200. Relevant log entries:

ERROR: /libs/ getting a 200. Relevant log entries:

ERROR: /libs/collab/core/content/admin.html getting a 200. Relevant log entries:

ERROR: /libs/cq/core/content/login.json getting a 200. Relevant log entries:

ERROR: /libs/cq/ui/content/dumplibs.html getting a 200. Relevant log entries:

ERROR: /libs/foundation/components/primary/cq/workflow/components/participants/json.GET.servlet getting a 200. Relevant log entries:

ERROR: /libs/wcm/core/content/siteadmin.html getting a 200. Relevant log entries:

ERROR: /projects getting a 200. Relevant log entries:

ERROR: /services/accesstoken/verify getting a 200. Relevant log entries:

ERROR: /services/social/datastore/mongo/reindex getting a 200. Relevant log entries:

ERROR: /services/social/getLoggedInUser getting a 200. Relevant log entries:

ERROR: /services/social/getTranslationProviderInfo getting a 200. Relevant log entries:

ERROR: /services/tagfilter getting a 200. Relevant log entries:

ERROR: /system/console getting a 200. Relevant log entries:

ERROR: /system/sling/cqform/defaultlogin.html getting a 200. Relevant log entries:

ERROR: /system/sling/info.sessionInfo.json getting a 200. Relevant log entries:

ERROR: /system/sling/loginstatus.json getting a 200. Relevant log entries:

ERROR: /tagging getting a 200. Relevant log entries:

ERROR: /var/classes.xml getting a 200. Relevant log entries:

ERROR: /var/linkchecker.html getting a 200. Relevant log entries:

ERROR: /welcome getting a 200. Relevant log entries: