Hi team!
During the recent bug bounty, We identified that hackers can bypass the AEM dispatcher rules and can access the jcr:node data and other sensitive information.
Below are the few patterns/urls bypassing the authentication and lead to access the sensitive data
https://www-qa1.salesforce.
http://answers.salesforce.com/
Views
Replies
Total Likes
That really depends on your filter set.
Essentially they are using encoded characters to manipulate the request:
- %5B is an encoded [
- %7D is an encoded }
If you look in your dispatcher.log you'll see which filter rule allows that request through. See what it allows and then you can start to understand why it allows it
You can block these kinds of requests by not allowing suffixes on request that don't need them at all. For example here is a filter rule that will allow that type of request but not allow the encoded characters suffixes:
Request: http://answers.salesforce.com/etc/segmentation/sfdc-www.segment.js
```
/03000 {
/type "allow"
/method "GET"
/path "/etc/segmentation/*"
/url "/etc/segmentation/*.js*"
/extension "js"
/selectors "segment"
/suffix ""
}
```
This rule will allow the request through but because the suffix matcher is blank they can't smuggle stuff at the end of the request and have it work.
If you look at the original request and use something like cyberchef to decode it you'll see the pivot attack
original: http://answers.salesforce.com/etc/segmentation/sfdc-www.segment.js/jcr:content/%5b.%5b./%5B.%5b./%5b...
decoded: http://answers.salesforce.com/etc/segmentation/sfdc-www.segment.js/jcr:content/[.[./[.[./[.[./[.[./c...
because the encoded brackets are ignore it consolidates to:
Views
Replies
Total Likes