DefaultGetServlet leads to access of AEM nodes

Question

Hi

While checking for the application security, we have found that the POST Servlet is exposed, which allows to anonymous user to add jcr:node

POST /.json;%0AKPI.css HTTP/2
Host: <domain>
User-Agent: curl/7.30.0
Accept-Encoding: gzip, deflate
Accept: /
Content-Type: application/x-www-form-urlencoded
Referer: <doamin>
Content-Length: 14

:operation=nop

we have just use NOP operation to prove it’s exposed ,attacker can use any other operation here

What's the best possible way to restrict it without impact the running application?

Thanks,

Rajendra

Nikhil_Verma · Accepted Answer

Add below to your dispatcher filter rules:

/0025 { /type "deny" /method "POST" /url "*.json" }

Dispatcher filter config: https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/dispatcher-configuration.html?lang=en#defining-a-filter

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded