Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

AEM QueryBuilder Json Servlet

By kannthu

Informative
Vidoc logoVidoc Module
#aem#adobe
Description

AEM QueryBuilder Json Servlet

This module targets the AEM (Adobe Experience Manager) QueryBuilder Json Servlet, which is a part of the Adobe Experience Manager software. It is designed to detect sensitive information exposure vulnerabilities in the servlet.

Severity: Informative

What is the "AEM QueryBuilder Json Servlet?"

The AEM QueryBuilder Json Servlet is a component of the Adobe Experience Manager (AEM) software. It is responsible for handling JSON-based queries to the AEM QueryBuilder API. This module focuses on detecting vulnerabilities related to sensitive information exposure in the servlet.

Impact

The vulnerabilities detected by this module can potentially lead to the exposure of sensitive information. This can include confidential data, user credentials, or other sensitive information stored within the AEM system.

How the module works?

The module works by sending HTTP requests to various endpoints associated with the AEM QueryBuilder Json Servlet. It then applies matching conditions to determine if the responses indicate the presence of vulnerabilities.

Example HTTP request:

GET /bin/querybuilder.json

The module uses the following matching conditions:

- Status: The response status code must be 200. - Content-Type: The response must have the header "Content-Type" with the value "application/json". - Keywords: The response body must contain the keywords "success" and "results".

If all the matching conditions are met, the module reports a potential vulnerability related to sensitive information exposure in the AEM QueryBuilder Json Servlet.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/bin/querybuilder.js.../bin/querybuilder.js...///bin///querybuilde...(+5 paths)
Matching conditions
status: 200and
word: application/jsonand
word: success, results
Passive global matcher
No matching conditions.
On match action
Report vulnerability