Adobe Experience Manager Sites & More

hardik11071994 · 8/27/18

Hi Team,

We are using AEM 6.0 , we are quite aware about things like this is at end of support soon. We are in a way to migrate to AEM 6.3, but at this moment one urgent task for me is to resolve the vulnerability that we have on the site. Apart from the below discuss scenario if you have any other way to mitigate CSRF for AEM 6.0 then please let us know we are ready to implement it. i.e Any GitHub project which provide token functionality.

We need your help to configure properly the referrer filter such a way that it prevent the CSRF attacks.

Currently it's OOTB configurations are present for filter. We need to add allow hosts which is currently blank.

To prevent the CSRF, in allow host what are the entries that i should add? - Do i need to add webservers, ? we have two publish servers that communicate with two webservers. Please help us here. I am quite confuse what needs to add that properly prevent this attacks and issue. Thank you in advance.

arunpatidar · 8/27/18

Hi,

Please check below:

https://taylor.callsen.me/security-and-java-servlets-in-aem-6-1/

Santhosh | myprogressivelearning

Arun Patidar

hardik11071994 · 8/29/18

Hi Arun,

We are looking for the solution for AEM 6.0 SP3. Do you have a solution for that? As I mentioned above , by white-listing the servers , will it resolve CSRF?

arunpatidar · 8/29/18

In above config, you need to add referrer if you are allowing request to your site other than type GET from other domain/host e.g posting form data from other site to your site, otherwise it is ok to keep it blank.

Please check if helps

https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

More info

Referrer-header configurations:

In order to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

which http methods should be filtered
whether an empty referrer header is allowed
a white list of servers to be allowed in addition to the server host.

In addition two these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

Until AEM 6.2 the official release allows only authenticated POST calls from the external sources.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

The config manager has a configuration named “Adobe Granite Cross Origin Resource Sharing Policy“. This is explained here

Arun Patidar

hardik11071994 · 8/29/18

Hi Arun,

Thank you for your quick response.

So application servers are communicating with webservers , so i need to enter all those http/https entries for webservers in referral filter right in allow host field?

arunpatidar · 8/29/18

yes, do like https://taylor.callsen.me/wp-content/uploads/2018/03/aem-osgi-referrer-filter-configuration.png

Arun Patidar

hardik11071994 · 8/30/18

Hi Arun,

The image is not opening for me , might be due to security reason. Can you paste the screenshot directly here please? Thank you in advance.

arunpatidar · 8/30/18

Arun Patidar

hardik11071994 · 8/30/18

Hi Arun,

Thank you for help.

So basically in allowed host , do i need to enter only domainname.com?

No need to add the webserver entries in the format : http/https://host:port ? , with which application servers are communicating ?

arunpatidar · 8/30/18

Hi,

You need to give hostname only(without protocol and port), I think this service uses getRemoteHost(ServletRequest (Servlet API Documentation) ) method to filter incoming request.

Adobe Experience Manager Sites & More

How to configure Apache Sling Referrer filter to mitigate the CSRF attach in AEM 6.0

Arun Patidar

Referrer-header configurations:

Arun Patidar

Arun Patidar

Arun Patidar

Arun Patidar

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe