During the recent bug bounty, We identified that hackers can bypass the AEM dispatcher rules and can access the jcr:node data and other sensitive information. Below are the few patterns/urls bypassing the authentication and lead to access the sensitive data
Query/Help required: Please let me know any other known patterns which bypass the dispatcher rules and cause the serious/dangerous path traversal and data leakage. We will handle them at dispatcher level.
Question: How do %7D, %5B bypass the dispatcher rules and cause the data leakage? Please help us to understand the internal logic behind these unicodes chars.