f you’ve ever looked into AEM you may have heard of Mikhail Egorov (@0ang3el). He has done some excellent security research on the AEM framework, and created a bunch of tools available from his GitHub repo. It was his work that inspired me to share my experience. When testing AEM it makes sense to follow the same methodology as for any other web app. However, it’s one of those frameworks that seems to baffle people, e.g. it’s common to find misconfiguration issues. Over time I have developed a specific methodology for testing AEM, and it leverages those misconfiguration problems. For example a very minor issue can allow PII leaking, or even complete compromise.