AEM - How can we prevent blind XPath injection in an AEM Page??

Question

https://domainname.html/search=true%27%20or%20true()%20or%20%27and%27%20%3D%20%27and
 
https://domainname.html/search=true%27%20and%20false()%20and%20%27or%27%20%3D%20%27and

arunpatidar · Accepted Answer

Hi @maryani
I am not 100% sure but by design XPATH and other SQL injection are prevented

https://jackrabbit.apache.org/archive/wiki/JCR/EncodingAndEscaping_115513396.html

https://experienceleague.adobe.com/docs/experience-cloud-kcs/kbarticles/KA-20135.html?lang=en

DPrakashRaj · Answer

If it’s a publisher you can bock all the suffix from dispatcher by adding rule in filter section

# Block use of all suffixes on any resource in /content
/0160 { /type "deny" /url "/content*" /suffix "*" }

# Suffix patterns which are needed on the server side can be added in an allow list manner
/0161 { /type "allow" /url "/content/we-retail/us/en/equipment/*" /suffix "/content/we-retail/*" /method "GET" }

Rule 0160 is for blocking the suffix request from by passing the dispatcher and hitting your aem publisher

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded