Overlay 403 error page for rejected referrer | Community
Skip to main content
A
afanot
March 19, 2024
Solved

Overlay 403 error page for rejected referrer

  • March 19, 2024
  • 3 replies
  • 2210 views

Good morning,
we maintain an AEM site for one of our customers. It runs on AEM 6.5 with sp19.
Another consulting company conducted a WAPT on the site.
While calling a service exposed by a servlet implemented in our code base, they faced an error. They said that the error is not properly handled because can reveal informations that can be used by an attacker.
These are the texts shown in the response page:
HTTP ERROR 403 Forbidden
URI: /content/mysite/some_path/_jcr_content/service.json
STATUS: 403
MESSAGE: Forbidden
SERVLET: org.apache.felix.http.base.internal.dispatch.DispatcherServlet-20a53b01

The information that should not be exposed here is the last row about DispatcherServlet.

This is the error I find in error.log
04.03.2024 10:49:33.194 *INFO* [qtp409487897-61] org.apache.sling.security.impl.ReferrerFilter Rejected referrer header for POST request to /content/mysite/some_path/_jcr_content/service.json : https://mydomain.com/content/mysite/some_path/some_page.html

Can you tell us how we can fix the problem hiding such details about DispatcherServlet ?

We already have a custom 404 page implemented at this path /apps/sling/servlet/errorhandler/404.html
We already tried implementing a 403 page at the same path (/apps/sling/servlet/errorhandler/403.html) but the custom 403 page we created is not called, we still have the message I showed before.

I don' t know if the problem is the fact that there is no /libs/sling/servlet/errorhandler/403.jsp in /libs to overlay.

The 403 page we want to implement should manage any 403 error that comes up anyway I specified "for rejected referrer" because this is the case that has been brought to our attention.


Best regards.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by arunpatidar

Hi @afanot 
Why are you allowing all .json request reached to publisher. It should be blocked from dispatcher using filter.

So you deny everything and then allow what suppose to reach publishers.

Example : https://github.com/arunpatidar02/aemaacs-aemlab/blob/master/dispatcher.cloud/src/conf.dispatcher.d/filters/default_filters.any 

 

Use dispatcher for error handling: 

https://github.com/arunpatidar02/aemaacs-aemlab/blob/e31fc62bfd147e56ecaca740c6e2739c66c75f75/dispatcher.cloud/src/conf.d/available_vhosts/aemlab.vhost#L50 

 

3 replies

arunpatidar
Community Advisor
arunpatidarCommunity AdvisorAccepted solution
Community Advisor
March 19, 2024

Hi @afanot 
Why are you allowing all .json request reached to publisher. It should be blocked from dispatcher using filter.

So you deny everything and then allow what suppose to reach publishers.

Example : https://github.com/arunpatidar02/aemaacs-aemlab/blob/master/dispatcher.cloud/src/conf.dispatcher.d/filters/default_filters.any 

 

Use dispatcher for error handling: 

https://github.com/arunpatidar02/aemaacs-aemlab/blob/e31fc62bfd147e56ecaca740c6e2739c66c75f75/dispatcher.cloud/src/conf.d/available_vhosts/aemlab.vhost#L50 

 

Arun Patidar
    A
    afanotAuthor
    March 20, 2024

    I thank both for for you replies.

     

    @arunpatidar 
    Regarding json, the service I was talking about accepts data in that format so we have rules in dispatcher.any that allow json.
    Maybe we can set more strict rules but I don' t think that the problem is due to those rules. I' m comparing the request they gave us to reproduce the problem in Postman with the one I obtain from the page with the browser that doesn' t cause the error. Even if the error is about the referrer, what I noticed since the begginnig, with great surprise, is that the referrer in the two requests is the same.
    Maybe the error it is caused by another header parameter but I haven' t found it yet.
    We already have ErrorDocument directives in httpd.conf for 403 and 404 errors. But in this case the page displayed is another page that maybe is handled by Sling.

     

    @estebanbustamante 

    I will check the page you suggested.

      A
      afanotAuthor
      March 25, 2024

      Hi @afanot 

      You should deny .json but enable only with some selector and GET method type

      e.g. /content/mysite/some_path.serviceName.json

      This would restrict all POST and GET except your service call with GET

       


      Hi @arunpatidar and @estebanbustamante ,

      we are going to imlpement page 403 and 404 at dispatcher level with

      ErrorDocument instruction.
      We already had that instruction for 404 error but it wasn' t working because DispatcherPassError was set to 0.

      Thank again for your suggestions.

       

      Best regards.

      EstebanBustamante
      Community Advisor and Adobe Champion
      EstebanBustamanteCommunity Advisor and Adobe Champion
      Community Advisor and Adobe Champion
      March 19, 2024

      Hi, 

      You should have an error handler for any 403 error. You can implement this at different layers of your architecture.

      • You could use it at the dispatcher layer, as Arun has shared the snippet.
      • You could do it at the Sling level.
      • You could even do it at the component level.

      Please check this article, which explains in detail how to handle these scenarios: https://blog.3sharecorp.com/error-handling-in-aem

       

      Hope this helps

       

      Esteban Bustamante
        kautuk_sahni
        Community Manager
        kautuk_sahniCommunity Manager
        Community Manager
        March 20, 2024

        @afanot Did you find the suggestions from users helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.

        Kautuk Sahni
        Terms & ConditionsAccessibility statement

        Loading footer...