Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

AEM DefaultGetServlet

By kannthu

Low
Vidoc logoVidoc Module
#aem#adobe
Description

What is the "AEM DefaultGetServlet?"

The "AEM DefaultGetServlet" module is designed to detect potential misconfigurations or vulnerabilities in Adobe Experience Manager (AEM) web applications. It targets the AEM DefaultGetServlet, a built-in servlet that handles GET requests in AEM.

This module has a severity level of low, indicating that the detected issues may have a limited impact on the security of the application.

This module was authored by DhiyaneshDk.

Impact

The "AEM DefaultGetServlet" module aims to identify potential exposure of sensitive information through the AEM DefaultGetServlet. If misconfigured or vulnerable, this servlet could potentially leak sensitive data, posing a risk to the confidentiality of the application.

How the module works?

The "AEM DefaultGetServlet" module performs a series of HTTP requests to various paths within the AEM application. It then applies matching conditions to determine if the responses indicate a potential misconfiguration or vulnerability.

One example of an HTTP request sent by this module is a GET request to the path "/etc.json". This request is used to check if the AEM DefaultGetServlet responds with a status code of 200 and contains the word "jcr:createdBy" in the response body.

The matching conditions used by this module include checking the status code and searching for specific words in the response body. These conditions help identify potential issues related to the AEM DefaultGetServlet.

For more information, you can refer to the following resources:

- Speakerdeck - Hunting for Security Bugs in AEM Webapps - GitHub - Burp AEM Scanner

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/etc/var/apps(+61 paths)
Matching conditions
status: 200and
word: jcr:createdBy
Passive global matcher
No matching conditions.
On match action
Report vulnerability