Solved

Block attacks to AEM servlets

Forum|Forum|2 years ago
March 26, 2023
3 replies
2541 views

Hi,

I am wondering if anyone knows ways to block requests to AEM servlets ? There are attacks to servlets registered at paths say /bin with parameters that are invalid leading to query within the system

i can think of ways to validate the values and then let the process but should we move to options like registering by sling resource types to avoid attacks or block domains via dispatcher or so ?
does registering servlet via resource type for GET method help avert security vulnerability ?

seeking ideas

regards,

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by arunpatidar

@arunpatidar thanks.. when you say implement DDOS, is it blocking IPs and domains that you speak of post monitoring? Kindly provide an eg if you have

Also, i dont believe the change to resource type will help, would it?

What we have in our project is protection against this kind of attack at AKAMAI, if there are many request from same IP in a short time, we block the IP/user.(There are policies to handle this kind of securities measures at Load balancer or at CDN level)

Yes change to resource type will not help, but it is a best practice to register servlet using resourceType instead of Path.

Umesh_Thakur

Community Advisor

registering a servlet thru resourceType is always a best practice as you can easily manage the access to that content but sometime we need to have servlet registered with path in such a case you can secure it on dispatcher filter.

Hope this helps

Umesh Thakur

N

NitroHazeDevAuthor

@rohit_utreja @umesh_thakur Thanks, i literally think of proceeding with resourcetype but wouldn't this lead to the same issue knowing that that resource type for instance is accessible with query params will be passed, and read access is allowed? Unless ofcourse suggestion is to use service resolver via system user account?

N

NitroHazeDevAuthor

@rohit_utreja @umesh_thakur thank you both for your inputs..

Rohit_Utreja

Community Advisor

Hi @nitrohazedev

It is recommended to use sling servlet by resource type.

But, in some case we do need to use a servlet by path based on the use-case. In this case,

When a servlet has been registered by resource type, AEM's OOTB access control mechanism plays a critical role.

Whereas, when registered a servlet by path, security is the major concern. However, AEM provides multiple security features including CSRF protection.

arunpatidar

Community Advisor

Besides servlets, you should also protect pages if someone hits them with query parameters.

In this case, DDoS protection and other blocking requests can be helpful.

To avoid hitting the publisher if someone uses query param, you can handle this by removing query param for undesire urls using Apache rewrite rules.

Arun Patidar

N

NitroHazeDevAuthor

@arunpatidar Thanks, but in this case, we do have query params and the security concern is unwanted values in query params leading to query traversal. i can think of validating the query param coming in prior to request being processed but is there any other way?

arunpatidar

Accepted solution

Community Advisor

@arunpatidar thanks.. when you say implement DDOS, is it blocking IPs and domains that you speak of post monitoring? Kindly provide an eg if you have

Also, i dont believe the change to resource type will help, would it?

What we have in our project is protection against this kind of attack at AKAMAI, if there are many request from same IP in a short time, we block the IP/user.(There are policies to handle this kind of securities measures at Load balancer or at CDN level)

Yes change to resource type will not help, but it is a best practice to register servlet using resourceType instead of Path.

Arun Patidar

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded