Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Servlet access via browser vs a component JS

Avatar

Avatar
Validate 25
Level 4
NitroHazeDev
Level 4

Likes

56 likes

Total Posts

236 posts

Correct Reply

5 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 25
Level 4
NitroHazeDev
Level 4

Likes

56 likes

Total Posts

236 posts

Correct Reply

5 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile
NitroHazeDev
Level 4

29-05-2018

All,

Anyone knows how i could fix the issue i see?

I have a servlet at path /bin and its a GET.. so the component JS has an Ajax script that invokes this servlet passing parameters. All good tll here but now i want to avoid any malicious user from picking up this servlet path  along with the GET request parameters, via the inspect element firebug Network tab on chrome and access it getting data.

The users are not stored in aem.

Please let me know if this is supposed to be handled at the server side or dispatcher and how i could resolve this issue.

Replies

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,345 likes

Total Posts

3,220 posts

Correct Reply

914 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,345 likes

Total Posts

3,220 posts

Correct Reply

914 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

29-05-2018

Hi,

If you can use other method like POST method, there is a way to restrict Post request based on host.

There is osgi configuration Apache Sling Referrer Filter from where you can specify allowed host and request allowed request type.

Screen Shot 2018-05-29 at 5.31.30 PM.png

I am not sure how you can do this in case of  GET method.

Thanks

Arun

Avatar

Avatar
Validate 25
Level 4
NitroHazeDev
Level 4

Likes

56 likes

Total Posts

236 posts

Correct Reply

5 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 25
Level 4
NitroHazeDev
Level 4

Likes

56 likes

Total Posts

236 posts

Correct Reply

5 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile
NitroHazeDev
Level 4

29-05-2018

Thanks Arun, i wanted to use GET since i am not performing any operations that would really require me to use POST and was trying to avoid a misuse. Is this the only way to proceed?

How do CQ applications usually go about with a GET , i know a CSRF token is used but i dont believe it is on publisher instances.?

Avatar

Avatar
Validate 25
Level 4
NitroHazeDev
Level 4

Likes

56 likes

Total Posts

236 posts

Correct Reply

5 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile

Avatar
Validate 25
Level 4
NitroHazeDev
Level 4

Likes

56 likes

Total Posts

236 posts

Correct Reply

5 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give Back 5
Give Back 3
View profile
NitroHazeDev
Level 4

29-05-2018

Also pleas let me know what the allowed host would be in our case- server hostname? if yes, then malicious user would user the hostname folowed by servlet path and this would let him through won't it? sorry if i ask questions that make no sense..i am new to the topic,

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,345 likes

Total Posts

3,220 posts

Correct Reply

914 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,345 likes

Total Posts

3,220 posts

Correct Reply

914 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

29-05-2018

Hi,

hostname would be domains from which POST requests are allowed.

It checks if the hostname of the referring page (HTTP header: referrer) is the same as the hostname in the HTTP host header.

Security Checklist

There is an article about CSRF and Sling referrer , please check if it helps:

CSRF in AEM | myprogressivelearning

Thanks

Arun

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,111 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,111 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

29-05-2018

Hi,

let me rephrase your request to set if I got it right:

* you have a servlet and you bound it to a path below /bin, e.g. /bin/my/servlet.

* you call this servlet from JS using parameters

* and now you want to restrict that in a way, that a user (who is supposed to execute this call) cannot see the parameters he's sending from the browser to AEM.

Is that correct?

If yes: You can't do that. The data is in the browser of the user, and you have to assume, that the user can access that data. Hiding it somehow is not a secure solution. If you want to prevent access to this data, don't transfer it to the browser.

Jörg

Avatar

Avatar
Validate 1
Level 2
nchandra
Level 2

Likes

2 likes

Total Posts

14 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 2
nchandra
Level 2

Likes

2 likes

Total Posts

14 posts

Correct Reply

2 solutions
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile
nchandra
Level 2

29-05-2018

There is no way you can block the GET requests with out any authentication/authorization mechanism. I believe if you are using GET request then it is serving public content, then this shouldn't be an issue. 

If Malicious user hits the GET request will see the public content what he will see in your public site. If they span multiple numerous requests then your Firewall will block those request and will blacklist those IP's.