How to block HTTP OPTIONS request in AEM

Avatar

Avatar
Validate 1
Level 3
ramgopalm545617
Level 3

Likes

8 likes

Total Posts

80 posts

Correct reply

1 solution
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile

Avatar
Validate 1
Level 3
ramgopalm545617
Level 3

Likes

8 likes

Total Posts

80 posts

Correct reply

1 solution
Top badges earned
Validate 1
Ignite 5
Ignite 3
Ignite 1
Give Back 5
View profile
ramgopalm545617
Level 3

26-05-2020

We recently got a security vulnerability as below.

 

"OPTIONS method returned values including itself"

 

we wanted to block at AEM level using Apache Sling referrer filter by adding OPTIONS in 'filter.methods', and post updating the configurations, i was still able to get response for the below CURL request.

 

curl -i -X POST https://test.*****.com/

 

HTTP/1.1 200 OK
Date: Tue, 26 May 2020 18:28:02 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Allow: OPTIONS, TRACE, GET, HEAD
Content-Length: 0
Content-Security-Policy: frame-ancestors 'self';
Content-Type: text/html

 

request to please help me with any other config through which the OPTIONS method is blocked for all the URL's hosted on this AEM instance.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Validate 1
Level 4
raghavc
Level 4

Likes

63 likes

Total Posts

61 posts

Correct reply

19 solutions
Top badges earned
Validate 1
Give Back 5
Give Back 3
Give Back
Boost 50
View profile

Avatar
Validate 1
Level 4
raghavc
Level 4

Likes

63 likes

Total Posts

61 posts

Correct reply

19 solutions
Top badges earned
Validate 1
Give Back 5
Give Back 3
Give Back
Boost 50
View profile
raghavc
Level 4

26-05-2020

You can block it an the dispatcher level using the below config

 

/1040 { /type “deny" /method "OPTIONS" /url "*" }

 

Updating the Apache Referrer Filter to include OPTIONS method would only check if there is a referrer header in the request when you request using OPTIONS method.

Answers (2)

Answers (2)

Avatar

Avatar
Contributor
Employee
hamidk92094312
Employee

Likes

103 likes

Total Posts

240 posts

Correct reply

38 solutions
Top badges earned
Contributor
Shape 1
Ignite 1
Give Back 50
Give Back 5
View profile

Avatar
Contributor
Employee
hamidk92094312
Employee

Likes

103 likes

Total Posts

240 posts

Correct reply

38 solutions
Top badges earned
Contributor
Shape 1
Ignite 1
Give Back 50
Give Back 5
View profile
hamidk92094312
Employee

27-05-2020

It seems in your case the info is released by Apache HTTP server. You may to check ServerTokens configuration that could contribute to this:

https://httpd.apache.org/docs/2.4/es/mod/core.html#servertokens

Avatar

Avatar
Contributor
Employee
hamidk92094312
Employee

Likes

103 likes

Total Posts

240 posts

Correct reply

38 solutions
Top badges earned
Contributor
Shape 1
Ignite 1
Give Back 50
Give Back 5
View profile

Avatar
Contributor
Employee
hamidk92094312
Employee

Likes

103 likes

Total Posts

240 posts

Correct reply

38 solutions
Top badges earned
Contributor
Shape 1
Ignite 1
Give Back 50
Give Back 5
View profile
hamidk92094312
Employee

26-05-2020

Review the following document. There are some OSGI settings that should be changed on your publish and author productive instances to avoid internal information leaking to the public. 

https://docs.adobe.com/content/help/en/experience-manager-65/administering/security/security-checkli...