A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions have made their way into web applications. These bugs are often difficult to test for, and are becoming increasingly prevalent due to faster and faster clients, while server-side languages like Node.js and PHP are struggling to keep up. Race conditions are no longer just bugs- when they are found in critical components of web applications, they become a serious security vulnerability. If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”. This talk will detail specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions have made their way into web applications. These bugs are often difficult to test for, and are becoming increasingly prevalent due to faster and faster clients, while server-side languages like Node.js and PHP are struggling to keep up. Race conditions are no longer just bugs- when they are found in critical components of web applications, they become a serious security vulnerability. If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”. This talk will detail specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
Slides from a SiteGround webinar by SiteGround Joomla Performance Guru, Daniel Kanchev. He reveals the 8 most common ways a Joomla website can get hacked and what you can do to protect yourself from each of those hacks.
Outdated Extensions & Themes
Vulnerable Extensions & Themes
Stolen or Weak Login Details
Outdated / Vulnerable Server Software
Incorrectly Configured Web Server
Vulnerable Joomla on a Host Server
Incorrect Joomla Permissions
Local PC Malware
Automatisation in development and testing - within budgetDavid Lukac
Working on client projects with very strict budget and resource restrictions, tight deadlines and pressure, many times does not allow for full blown Test Driven Development, Continuous Delivery and other software engineering goodness we would love to have. We will show you easily accessible and quickly implementable options, that allow you to automate your development and testing process, or at least the most painful parts, without blowing the budget. Finally you can relax during deployments of the code to production! :-)
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
You have been busy building your website, writing great content, touching people’s life, trying to make money online with your blog and you woke up to find out that your wordpress website has been hacked! And off course, your only option is to search Google for solution.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
3. Why this talk?
• A lot of AEM targets are in scope of BBP or VPD
• AEM webapps are usually insecure
• Security misconfigurations (AEM is complex)
• Not installed security updates
• Attract attention to AEM webapps insecurity
• Motivate bug hunters to test AEM webapps
3/124
4. Topics to discuss
• Methodology w/ bug examples
• Automation
• AEM Hacker Toolset – https://github.com/0ang3el/aem-hacker.git
• AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git
• Only known vulnerabilities and techniques are discussed!!!
4/124
11. AEM architecture
• Based on open source projects
• Apache Felix
• Apache Sling
• Apache OAK JCR
https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html
11/124
12. Common AEM deployment
Main blocks:
• Author AEM instance
• Publish AEM instance
• AEM dispatcher (~WAF)
Interacts with Publish server
via AEM Dispatcher!
4503/tcp
4502/tcp
443/tcp
?
12/124
13. AEM dispatcher
• In theory … a front end system offers an extra layer of
security to your Adobe Experience Manager infrastructure
• Often in practice … it’s the only security layer!!!
• Admins rarely keep all components on Publish instance
updated and securely configured!
• Dispatcher bypasses allow to talk to those “insecure”
components on Publish instance
13/124
14. AEM Dispatcher bypasses
• CVE-2016-0957
• Bypasses for “interesting” servlets
• Add multiple slashes
• SSRF
• Other
14/124
22. Add multiple slashes
• ///etc.json instead of /etc.json
• ///bin///querybuilder.json instead of /bin/querybuilder.json
22/124
23. Using SSRF
• We need SSRF in a component that is allowed by AEM
dispatcher policy
• SSRF should allow to send GET request and see response
• Opensocial (Shindig) proxy
• SSRF in ReportingServicesProxyServlet (CVE-2018-12809)
23/124
25. AEM RCE bundle
• AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git
• Has pre-build OSGI bundle for AEM 6.2 or newer
• Allows to get RCE when you have access to Felix Console
• Happens when you guessed admin credentials
25/124
26. AEM RCE bundle, build yourself
mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate
-DarchetypeGroupId=com.adobe.granite.archetypes
-DarchetypeArtifactId=aem-project-archetype
-DarchetypeVersion=11
-DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/
mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate
-DarchetypeGroupId=com.day.jcr.vault
-DarchetypeArtifactId=multimodule-content-package-archetype
-DarchetypeVersion=1.0.2
-DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/
For AEM 6.0 or newer
For AEM 5.6
26/124
29. aem_hacker.py
• Main tool – scans AEM webapp for misconfigurations and
vulnerabilities
• Tries to bypass AEM dispatcher
• You need to run it from VPS to detect SSRFs!
• You need to do extra manual work to detect if findings are
exploitable
29/124
30. aem_hacker.py
python3 aem_hacker.py -h
usage: aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST]
[--port PORT] [--workers WORKERS]
AEM hacker by @0ang3el, see the slides -
https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps
optional arguments:
-h, --help show this help message and exit
-u URL, --url URL url to scan
--proxy PROXY http and https proxy
--debug debug output
--host HOST hostname or IP to use for back connections during SSRF detection
--port PORT opens port for SSRF detection
--workers WORKERS number of parallel workers
30/124
35. aem_discoverer.py
• Allows to scan urls and find AEM webapps among them
• Tries to bypass AEM dispatcher
• Common usage
python3 aem_discoverer.py --file urls.txt --workers 150
35/124
36. aem_discoverer.py
python3 aem_discoverer.py -h
usage: aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug]
[--workers WORKERS]
AEM discoverer by @0ang3el, see the slides -
https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps
optional arguments:
-h, --help show this help message and exit
--file FILE file with urls
--proxy PROXY http and https proxy
--debug debug output
--workers WORKERS number of parallel workers
36/124
38. aem_enum.py
python3 aem_enum.py -h
usage: aem_enum.py [-h] [--url URL] [--base BASE] [--grabdepth GRABDEPTH]
[--maxdepth MAXDEPTH] [--workers WORKERS] [--out OUT]
[--proxy PROXY] [--debug]
AEM exploration tool by @0ang3el (grabs users and secrets), see the slides -
https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps
optional arguments:
-h, --help show this help message and exit
--url URL AEM webapp URL, required parameter
--base BASE set base node (/etc or /apps or /home or /var), if not set, base node is selected automatically
--grabdepth GRABDEPTH
JCR subtree depth on each iteration, 2 should be a
safe value for all nodes
--maxdepth MAXDEPTH maximum depth for JCR search, increase it to find more
--workers WORKERS number of parallel workers
--out OUT CSV file with results, delimiter symbol is |
--proxy PROXY http and https proxy
--debug debug output
38/124
40. aem_ssrf2rce.py & aem_server.py
• aem_ssrf2rce.py & aem_server.py + response.bin
• Helps to exploit SSRF in SitecatalystServlet or
AutoprovisioningServlet as RCE
• It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty
• Exploits reverse replication to get RCE after joining topology using
SSRF
40/124
41. aem_ssrf2rce.py
python3 aem_ssrf2rce.py -h
usage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY]
optional arguments:
-h, --help show this help message and exit
--url URL URL for SitecatalystServlet or AutoprovisioningServlet,
including path, without query part
--fakeaem FAKEAEM hostname/ip of fake AEM server
--proxy PROXY http and https proxy
41/124
42. aem_ssrf2rce.py & aem_server.py
• Place aem_server.py and response.bin on your VPS
• Run aem_server.py script
python3 aem_server.py
starting fake AEM server...
running server...
42/124
44. aem_ssrf2rce.py & aem_server.py
• If RCE is possible, you should see incoming connection to your
fake AEM server
• Shell is accessible from
https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls
44/124
45. aem-rce-sling-script.sh
• Allows to get RCE when Felix Console is not available, but you
have permissions to create new nodes under /apps JCR node
• Usage
• Shell is available at https://aem.webapp/rcenode.html?cmd=ls
./aem-rce-sling-script.sh https://aem.webapp username password
45/124
55. What can you do w/ valid creds?
• RCE
• Deface site – create/modify/delete content
• Persistent XSS
55/124
56. How to get valid creds?
• Default credentials
• admin:admin
• author:author
• Bruteforce creds
• properties , , , etc. contain
usernames
• automates usernames grabbing
• AEM supports basic authorization
56/124
57. RCE via credentials of privileged user
Felix Console Sling Scripting
admin:admin
SlingPOSTServlet Other
/system/console/bundles /apps
WebDAV
57/124
58. RCE via credentials of privileged user
Felix Console Sling Scripting
admin:admin
SlingPOSTServlet Other
/system/console/bundles /apps
Upload AEM RCE OSGI bundle
WebDAVhttps://github.com/0ang3el/aem-rce-bundle.git
58/124
61. RCE via credentials of privileged user
Felix Console Sling Scripting
admin:admin
SlingPOSTServlet Other
/system/console/bundles /apps
Upload JSP script to /apps
WebDAV
https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html
aem-rce-sling-script.sh
61/124
62. RCE via credentials of privileged user
Felix Console Sling Scripting
admin:admin
SlingPOSTServlet Other
/system/console/bundles /apps
Upload JSP script to /apps
WebDAV
cadaver https://aem.webapp/crx/repository/crx.default
https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html
62/124
68. Non-privileged user
SlingPOSTServlet WebDAV
Find node with weak ACL
Other
CRXDE Lite
hasPermission predicate of Querybuilder
https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html#hasPermission
68/124
69. Anonymous user
SlingPOSTServlet WebDAV
Find node with weak ACL
Other
CRXDE Lite
/content/usergenerated
/content/usergenerated/etc/commerce/smartlists
hasPermission predicate of Querybuilder
Anonymous usually has jcr:write permission for node
Anonymous usually has jcr:addChildNode permission for node
69/124
70. Tricks to get persistent XSS
• SVG in property value
• create property with SVG content
• add /a.svg to the URL
• HTML in property value
• create property with HTML content and name aaa.html
• jcr:data and jcr:mimeType (upload file)
• Other
70/124
84. DefaultGetServlet - How to grab
• Get node names, start from
• /.1.json
• /.ext.json
• /.childrenlist.json
• Or guess node names:
• Common names - /content, /home, /var, /etc
• Dump props for each child node of
• /etc.json or /etc.5.json or /etc.-1.json
84/124
85. DefaultGetServlet – What to grab
• Interesting nodes
• /etc – may contain secrets (passwords, enc. keys, …)
• /apps/system/config or /apps/<smth>/config (passwords, …)
• /var – may contain private information (PII)
• /home – password hashes, PII
• Interesting props – contain AEM users names
• jcr:createdBy
• jcr:lastModifiedBy
• cq:LastModifiedBy
85/124
86. DefaultGetServlet – In the wild
/apps/<redacted>/config.author.tidy.1..json/a.ico
86/124
87. DefaultGetServlet – In the wild
/etc/ocs/libs/puppet/bootstrap/etc/ssl/private/ocs-x509-client-key.pem/jcr:content/jcr:data.tidy.-1…json/b.gif
87/124
88. QueryBuilder servlets
• We can search JCR using different predicates
• https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-
predicate-reference.html
• QueryBuilderJsonServlet allows to get Nodes and their Props
• /bin/querybuilder.json
• QueryBuilderFeedServlet allows to get Nodes (no Props)
• /bin/querybuilder.feed.servlet
• we can use blind binary search for Props
88/124
95. Opensocial (Shindig) proxy
• SSRF via Opensocial (Shindig) proxy
•
•
• Allows to send GET request to an arbitrary URL and see response
• Suitable for
• Ex-filtrate secrets from internal network services
• Bypass AEM dispatcher and ex-filtrate secrets from JCR
• Reflected XSS
95/124
97. ReportingServicesProxyServlet
• SSRF via ReportingServicesProxyServlet (CVE-2018-12809)
•
•
• Allows to send GET request to an arbitrary URL and see response
• Suitable for
• Ex-filtrate secrets from internal network services
• Bypass AEM dispatcher and ex-filtrate secrets from JCR
• Reflected XSS
97/124
100. SalesforceSecretServlet 100/124
• SSRF via SalesforceSecretServlet (CVE-2018-5006)
•
• Allows to send POST request to an arbitrary URL and see response
• Suitable for
• Ex-filtrate secrets from some internal network services
• POST ≡ GET
• Reflected XSS
103. SiteCatalystServlet
• SSRF via SiteCatalystServlet
•
•
• Allows to send POST request to an arbitrary URL blindly, allows to send
arbitrary headers (CRLF injection)
• Suitable for
• Access internal network services (hard in blackbox scenario)
• RCE (requires specific AEM version and appserver)
103/124
105. AutoProvisioningServlet
• SSRF via AutoProvisioningServlet
•
• Allows to send POST request to an arbitrary URL blindly, allows to send
arbitrary headers (CRLF injection)
• Suitable for
• Access internal network services (hard in blackbox scenario)
• RCE (requires specific AEM version and appserver)
105/124
107. SSRF >>> RCE
• It’s possible to escalate SSRFs in SiteCatalystServlet and
AutoProvisioningServlet to RCE on Publish server
• Requirements
• AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack
• Jetty appserver (default installation)
107/124
113. XXE via WebDAV
• Old bug, CVE-2015-1833
• It’s possible to read local files with PROPFIND/PROPPATCH
• https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-webdav
113/124
114. Check WebDAV support
• Send request
• header in response contain webdav-related methods
• Navigate to
• 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV"
114/124