Expand my Community achievements bar.

Servlet access via browser vs a component JS

Avatar

Level 10
Level 10
5/29/18 8:03:03 AM

All,

Anyone knows how i could fix the issue i see?

I have a servlet at path /bin and its a GET.. so the component JS has an Ajax script that invokes this servlet passing parameters. All good tll here but now i want to avoid any malicious user from picking up this servlet path  along with the GET request parameters, via the inspect element firebug Network tab on chrome and access it getting data.

The users are not stored in aem.

Please let me know if this is supposed to be handled at the server side or dispatcher and how i could resolve this issue.

Views

2.2K

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
6 Replies

Avatar

Community Advisor
Community Advisor
5/29/18 8:36:30 AM

Hi,

If you can use other method like POST method, there is a way to restrict Post request based on host.

There is osgi configuration Apache Sling Referrer Filter from where you can specify allowed host and request allowed request type.

Screen Shot 2018-05-29 at 5.31.30 PM.png

I am not sure how you can do this in case of  GET method.

Thanks

Arun



Arun Patidar

Views

2.1K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
5/29/18 8:38:18 AM
In response to arunpatidar

Thanks Arun, i wanted to use GET since i am not performing any operations that would really require me to use POST and was trying to avoid a misuse. Is this the only way to proceed?

How do CQ applications usually go about with a GET , i know a CSRF token is used but i dont believe it is on publisher instances.?

Views

2.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
5/29/18 9:42:49 AM
In response to arunpatidar

Also pleas let me know what the allowed host would be in our case- server hostname? if yes, then malicious user would user the hostname folowed by servlet path and this would let him through won't it? sorry if i ask questions that make no sense..i am new to the topic,

Views

2.1K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/29/18 11:34:15 AM
In response to NitroHazeDev

Hi,

hostname would be domains from which POST requests are allowed.

It checks if the hostname of the referring page (HTTP header: referrer) is the same as the hostname in the HTTP host header.

Security Checklist

There is an article about CSRF and Sling referrer , please check if it helps:

CSRF in AEM | myprogressivelearning

Thanks

Arun



Arun Patidar

Views

2.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
5/29/18 12:48:11 PM

Hi,

let me rephrase your request to set if I got it right:

* you have a servlet and you bound it to a path below /bin, e.g. /bin/my/servlet.

* you call this servlet from JS using parameters

* and now you want to restrict that in a way, that a user (who is supposed to execute this call) cannot see the parameters he's sending from the browser to AEM.

Is that correct?

If yes: You can't do that. The data is in the browser of the user, and you have to assume, that the user can access that data. Hiding it somehow is not a secure solution. If you want to prevent access to this data, don't transfer it to the browser.

Jörg

Views

2.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
5/29/18 3:06:05 PM

There is no way you can block the GET requests with out any authentication/authorization mechanism. I believe if you are using GET request then it is serving public content, then this shouldn't be an issue. 

If Malicious user hits the GET request will see the public content what he will see in your public site. If they span multiple numerous requests then your Firewall will block those request and will blacklist those IP's.

Views

2.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate