Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

DefaultGetServlet leads to access of AEM nodes

Avatar

Level 1

Hi 

 

While checking for the application security, we have found that the POST Servlet is exposed, which allows to anonymous user to add jcr:node

POST /.json;%0AKPI.css HTTP/2
Host: <domain>
User-Agent: curl/7.30.0
Accept-Encoding: gzip, deflate
Accept: /
Content-Type: application/x-www-form-urlencoded
Referer: <doamin>
Content-Length: 14

:operation=nop


we have just use NOP operation to prove it’s exposed ,attacker can use any other operation here

 

What's the best possible way to restrict it without impact the running application?

 

Thanks,

Rajendra

1 Accepted Solution

Avatar

Correct answer by
Level 5

Add below to your dispatcher filter rules:

 

/0025 { /type "deny" /method "POST" /url "*.json" }
 
 

View solution in original post

1 Reply

Avatar

Correct answer by
Level 5

Add below to your dispatcher filter rules:

 

/0025 { /type "deny" /method "POST" /url "*.json" }