Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Adobe Experience Manager - Cross-Site Scripting

By kannthu

High
Vidoc logoVidoc Module
#xss#aem#adobe
Description

What is "Adobe Experience Manager - Cross-Site Scripting?"

The "Adobe Experience Manager - Cross-Site Scripting" module is designed to detect a cross-site scripting vulnerability in Adobe Experience Manager (AEM). AEM is a content management system that allows users to create, manage, and deliver digital experiences across various channels.

This module focuses on the severity of the vulnerability, which is classified as high. It is important to address this vulnerability promptly to prevent potential attacks.

This module was authored by dhiyaneshDk.

Impact

A cross-site scripting vulnerability in AEM can allow attackers to inject malicious scripts into web pages viewed by users. This can lead to various security risks, such as unauthorized access to sensitive information, session hijacking, and defacement of websites.

It is crucial to address this vulnerability to protect the integrity and security of the AEM platform and the websites it powers.

How does the module work?

The "Adobe Experience Manager - Cross-Site Scripting" module works by sending HTTP requests to the AEM platform and analyzing the responses for specific conditions.

One example of an HTTP request used by this module is:

GET /etc/designs/xh1x.childrenlist.json//<svg onload=alert(document.domain)>.html

This request targets the "xh1x.childrenlist.json" file and includes a payload that triggers a cross-site scripting vulnerability.

The module uses matching conditions to identify if the vulnerability is present. The conditions include:

- The presence of the payload "<svg onload=alert(document.domain)>" and the partial path "/etc/designs/xh1x.childrenlist.json" in the response. - The response header containing the word "text/html". - The response status code being 200.

By analyzing the responses based on these conditions, the module can determine if the cross-site scripting vulnerability exists in the AEM platform.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/etc/designs/xh1x.ch...
Matching conditions
word: <svg onload=alert(document.domain)>, {"p...and
word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability