Adobe Experience Manager Sites & More

DanielMa63 · 11/18/25

Greetings,

Our client has asked us to use this tool https://github.com/assetnote/hopgoblin to find and correct possible security issues that are detected in the tools scanner, while i was able to fix some of them, but i have not been able to find a solution for these two

I have tried using the dispatcher filter, but it has not worked

And i have not been able to find out much more about these flags or how to correct them, so any help would be appreciated.

Best Regards and Thanks in advance

Daniel

giuseppebaglio · 11/18/25

Hi @DanielMa63,

I believe the best solution for addressing this alert is to eliminate direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed. For example, you can encapsulate the query within a servlet that strictly controls valid inputs and determines the queries that can be executed.

Although the dispatcher rules prevent external access, if someone gains access to the instances, these APIs could still be exploited. This is why the tool continues to report them.

DanielMa63 · 11/19/25

Hello @giuseppebaglio how do i eliminate direct access to those endpoints, is it simply by creating the servlet?

Best regards

Daniel

giuseppebaglio · 11/19/25

After creating the servlet, locate the sections of your code where those API endpoints are used and replace the calls with the URL for your new servlet.

manikandan90 · 11/18/25

To effectively mitigate this alert, direct access to the endpoints /bin/querybuilder.json and /bin/querybuilder.feed should be disabled. Instead, implement a custom servlet that encapsulates query execution logic. This servlet must enforce strict input validation and explicitly define the permissible queries to ensure controlled and secure operations.

Adobe Experience Manager Sites & More

How to address hopgoblins exposed json and feed for query builder

Learn

Documentation

Events

Community

Support

Resources

Adobe account

Adobe