Expand my Community achievements bar.

SOLVED

How to resolve External Service Interaction issue in servlet.

Avatar

Level 5
Level 5
11/14/22 3:22:57 AM

Hi,

 

During penTest we found a security issue called External Service Interaction in servlet.

This servlet is called after submitting a form , which has 4-5 fileds .

 

Please let me know how to resolve this issue.

 

Views

351

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
2/25/24 4:28:52 AM

The External Service Interaction vulnerability in a servlet typically occurs when the servlet interacts with external services without proper validation or authorization. Here's a general guideline:

1. Validate User Input: Ensure that all user inputs submitted through the form are properly validated and sanitized to prevent injection attacks such as SQL injection, XSS, etc. Ensure that only expected and safe inputs are accepted.

2. Implement Proper Authorization: Check if the servlet has proper authorization checks in place to verify whether the user has the necessary permissions to access the servlet and interact with external services. You can use AEM's user/group permissions or custom authorization mechanisms for this purpose.

3. Limit External Service Interaction: Minimize the interaction of the servlet with external services to only what is necessary for the application's functionality. Avoid exposing sensitive data or functionality unnecessarily and restrict the communication to trusted and verified external services.

4. Use Secure Communication Protocols: Ensure that any communication with external services is done over secure protocols such as HTTPS to encrypt the data in transit and prevent interception or tampering.

Aanchal Sikka

View solution in original post

Views

89

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Community Advisor
Community Advisor
11/14/22 7:23:31 AM

Hi @aem-enthu27,

Perform DNS (Domain name system) lookups for hostnames in AEM.

Kindly refer below references for the same.

[0]: External Service Interaction (DNS)

Hope that helps!

Regards,

Santosh

Views

336

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 5
Level 5
11/14/22 7:54:56 PM
In response to SantoshSai

No @SantoshSai  it is not helpfull , I have seen that question .

I think you have not read my question properly. Issue is with servlet.

Which is wriiten for some form with few query parameters .

Views

326

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
2/25/24 4:28:52 AM

The External Service Interaction vulnerability in a servlet typically occurs when the servlet interacts with external services without proper validation or authorization. Here's a general guideline:

1. Validate User Input: Ensure that all user inputs submitted through the form are properly validated and sanitized to prevent injection attacks such as SQL injection, XSS, etc. Ensure that only expected and safe inputs are accepted.

2. Implement Proper Authorization: Check if the servlet has proper authorization checks in place to verify whether the user has the necessary permissions to access the servlet and interact with external services. You can use AEM's user/group permissions or custom authorization mechanisms for this purpose.

3. Limit External Service Interaction: Minimize the interaction of the servlet with external services to only what is necessary for the application's functionality. Avoid exposing sensitive data or functionality unnecessarily and restrict the communication to trusted and verified external services.

4. Use Secure Communication Protocols: Ensure that any communication with external services is done over secure protocols such as HTTPS to encrypt the data in transit and prevent interception or tampering.

Aanchal Sikka

Views

90

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply