Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Query JCR role via QueryBuilder Servlet

By kannthu

Informative
Vidoc logoVidoc Module
#aem
Description

What is the "Query JCR role via QueryBuilder Servlet?" module?

The "Query JCR role via QueryBuilder Servlet" module is a test case designed to detect misconfigurations or vulnerabilities in the Adobe Experience Manager (AEM) software. It targets the JCR (Java Content Repository) role by querying the JCR via the QueryBuilder Servlet. This module has an informative severity level and was authored by DhiyaneshDk.

Impact

This module aims to identify potential security issues related to the JCR role in AEM. If misconfigurations or vulnerabilities are found, unauthorized access or manipulation of sensitive data may be possible.

How does the module work?

The module sends an HTTP request to the QueryBuilder Servlet, using the GET method and specific parameters. Here is an example of the request:

GET /bin/querybuilder.json.;%0aa.css?p.hits=full&property=rep:authorizableId&type=rep:User HTTP/1.1
Host: {%Hostname%}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

The module then applies matching conditions to the response to determine if the JCR role is accessible. The matching conditions include:

- The HTTP response status must be 200. - The response body must contain the words "success":true and "jcr:uuid".

If all matching conditions are met, the module reports a potential vulnerability or misconfiguration related to the JCR role in AEM.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
status: 200and
word: "success":true, jcr:uuid
Passive global matcher
No matching conditions.
On match action
Report vulnerability