Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

List all possible selectors and extensions for denial of service (DoS) attack mitigation

Avatar

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile
25793466
Level 2

17-07-2018

Under the guidance of the security checklist (Security Checklist​:  "Incorporate controls at the application level; Control the selectors in your application"), how would I determine all possible extensions and selectors that are running in my instance?

View Entire Topic

Avatar

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
25793466
Level 2

Likes

3 likes

Total Posts

22 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 3
Boost 1
Affirm 1
View profile
25793466
Level 2

18-07-2018

Right.  I know from that perspective.  Our deployment has one package that I wrote, so I know our selectors.  But I can imagine an application, perhaps poorly architected, that has many code packages where a developer might introduce a selector that could cause problems.  It would be nice to query them from an administrative perspective to ensure compliance.

And what about the out-of-the-box ones?  I am assuming only the .html (Apache Sling Servlet/Script Resolver and Error Handler) and .json (Apache Sling GET Servlet) extensions are available.  What about default selectors?

This is all really a theoretical exercise for what can be done on the publish instance.  In practice, we completely lock down our application through the dispatcher.  Only .html files on our content paths are supported.  No selectors on .html.  No .json either.  We even lock down assets (js, css) to specific paths and disable all selectors except for minify.