Monday 6 April 2020

Common security vulnerabilities identified as part of AEM projects

When ever an AEM project goes Live, there are set of scans happens to ensure that the website adheres to set of security & performance guidelines.
The security/ penetration tests usually gets scheduled few days ahead of any AEM go live. Below given the set of issues identified as part of AEM websites normally.

Horizontal Privilege Escalation Vulnerability   

Usually by horizontal privilege escalation, hackers remain on the same general user privilege level but gains access data of other accounts or processes that should be unavailable to the current account or process.

Host Header Injection Vulnerability   

Normally a header is used by a web server to decide which website should process the received HTTP request. Whenever many websites are hosted on the same IP address, webserver uses the value of this header to forward the HTTP request to the correct website for processing. This poses as a vulnerability.

Email Flooding Attack   

In general, sending large volumes of email to an email address so that the mail box gets overflowed, overwhelm the server where the email address is hosted in a denial-of-service attack. Thus a wrong impression screen to distract the attention from important email messages indicating a security breach.

HTML Injection Vulnerability   

HTML injection generally occurs when the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and the attacker is able to inject valid HTML code into a vulnerable web page. If these methods are provided with un trusted input, then there is a high risk of XSS, specifically an HTML injection issues. If strings are not correctly sanitized the problem could lead to XSS based HTML injection.

Session Replay Attack   

This kind of attacks, known as playback attacks or replay attacks, are network attacks that maliciously repeat or delay a valid data transmission. A hacker can do this by intercepting a session and stealing a user’s unique session ID. Now, the hacker is able to behave himself or herself as an authorized user on site, and will be granted full access to do anything that the authorized user can do on a website.

Stored XSS via File Upload Vulnerability

    Such scripts are possibly vulnerable to XSS (Cross-site scripting). The web application allows file upload of any type & was able to upload a file containing HTML content or various file extensions. When HTML files are allowed, XSS payload can be injected in the file uploaded.

Web Server Banner Disclosure   

When we are running a web server, it often shows the others what type of server it is, its version number, and the operating system. This information is available in header fields and can be acquired using a web browser to make a simple HTTP request to any web application. It is often called the web server banner

Concurrent Logins Allowed    

Parallel logins. Interactive logins at desktops and laptops, a system administrator cannot therefore prevent a given user from going up to one computer, logging on there, letting somebody work as him or just leaving the computer unattended, and then walking up to another computer and logging on there. This causes data leak.

Email Harvesting   

A process of obtaining large number of e-mail addresses through various online sources like website hacking. They obtain list of emails, either by purchase or theft, of valid email address for the purpose of sending bulk emails or Spam.

Vulnerable JQuery version in use   
Old version of Jquerys causes a threat to the websites.

Content Spoofing Vulnerability  

Content Spoofing or Content Injection is one of the common web security vulnerability. It allows end user of the vulnerable web application to spoof or modify the actual content on the web page. The user might use the security loop holes in the website to inject the content that they wish to the target website. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user.

Missing Secure and "Http Only" Flag from cookie   

This is an additional flag included in a Set-Cookie HTTP response header. If supported by the browser, using the HttpOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie. If a browser that supports HttpOnly detects a cookie containing the HttpOnly flag, and client side script code attempts to read the cookie, the browser returns an empty string as the result. This causes the attack to fail by preventing the malicious (usually XSS) code from sending the data to an attacker's web

[Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]]

Cookie Path Set to Root  

Many of the browsers don’t allow to set cookie at root level. set the cookie path attribute to application defined folder

SameSite Cookie Attribute Not Set   

The 'SameSite' attribute tells browsers when and how to fire cookies in first- or third-party situations. This attribute is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.

Improper Error/Exception Handling Vulnerability   

Improper error handling arises when security mechanisms fail to deny access until it is specifically granted. This may occur as a result of a mismatch in policy and coding practice. It may also result from code that lacks appropriate error handling logic. For example, a system may grant access until it's denied (deny all, then allow individually).

Improper Session Management    The issue is because session tokens are not handled in proper way. While some of it might be intentional, enough care should be taken to add some kind of validation for the user. Because of the way mobile applications are used, many developers allow long or non-expiring user sessions, or use session tokens that are too predictable.

Session Timeout is not set Properly   

As a standard process, application should invalidate a session after a predefined idle time has passed (a timeout) and provide users the means to invalidate their own sessions, (logout). These simple measures help to keep the lifespan of a session ID as short as possible.  To protect against Insufficient Session Expiration attacks, the logout function should be easily visible to the user, explicitly invalidate a user’s session, and disallow reuse of the session token.

Missing Security Headers   

Security HTTP headers are a fundamental part of website security. Once implemented, they protect against the types of attacks that a site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.

There are third party services to enable the security scan. A through scan and identify and fix all the major critical items should be a must included item in any AEM project delivery.

Tuesday 5 November 2019

Composum with AEM

What is Composum?

Composum is an Open-Source project based on Apache Sling, which is a set of useful tools and a
framework to work with Apache Sling framework easily

Modules of Composum: Nodes, Pages, Assets, Platform

Composum Platform:
This is the central services to set up an Apache Sling based application platform

Composum Pages:
Pages provides the content management feature of the Composum platform

Composum Assets:
This is the image asset management feature of the Composum

Composum Nodes:
Resource/JCR development tool with core API for all Composum modules.

Use case with AEM: Composum helps to create a diagram representation of the OSGI service dependencies

Demo video can be found here - Composum with AEM

Thursday 10 October 2019

Stress test the AEM capability using Tough day 2

What is 'Tough day 2'?
In real scenarios we need to stress test the AEM to find out its limits. Tough day 2 is a tool provided by Adobe to stress test AEM instances.
It has default test suite or can be customized as per needs to run various stress tests in AEM.

How do we get the Tough Day 2 Application?

We can get it from Adobe Repository

How to run the Tough Day 2?

We need to run the Tough Day 2 jar using below command; where localhost is the host where AEM is running.

java -jar toughday2.jar --host=localhost

How to get help?
To enable the Help, run Tough day 2 using below command,
java -jar toughday2.jar --help_full

What are the default test options available for Tough day 2?

Some of the default cases are given below,
1) Getting the Home page
2) Triggering the queries in Query builder
3) Delete the assets from DAM
4) Create pages
5) Create live copies and run roll outs

Can we customize Tough Day 2?
Yes as mentioned previously, we have complete customization option here. We can do it by either providing command line parameters or yaml configurations. Command line has the highest priority, which means, it can override the configuration files or default parameters.
Configuration files has the second priority, which can override the default configurations.
Remember this, configuration files are used for large custom suites to make it easier.

What are all the various run modes available in Tough Day 2?

1) Normal: This generates constant number of threads. It has 2 params
    a) Concurrency
    b) waittime

2) Constant Load:This generates constant number of started test executions.

How do we analyze Test Day 2 Output?

The output of Test Day 2 consists of logs and test metrics(9 of them).

Test Metrics
The test metrics are available in CSV (CSVPublisher), and in console (ConsolePublisher ) form.
The logs are also created under same folder of Tough Day 2 installation.
2 Files are created,
  a) generic(toughday.log)- all generic & global messages
  b) custom(toughday_<testname>.log) - related to our specific test

Do we need load test in AEM Authoring instance?

In usual scenarios, the Author performance has been less of a problem in most cases. But the number of concurrent users and the size of the assets are the biggest factors in sizing the author. The general practice is load-test content authoring workloads only when a) number of content authors is high (>50) AND b) they use AEM ASSETS.

Load test is done using Tools like JMeter(Author/Publish instance in our Jenkins pipeline), LoadRunner etc. Recommendation is always to test with production size content! AEM author will not have less number of pages w.r.t production( For e.g. 10 pages vs 100.000+ pages are a big change to compare)

The test suite comprise of 85% read and 15% write. When we install and run Tough Day 2, it installs all the content packages, which can be avoided by passing parameters while load run.
The parameters list can be found here for AEM 6.5

Since Tough Day 2 once run cannot clean up the things from AEM by itself, it is always recommended to run Tough day on a cloned AEM instance.

Monday 26 August 2019

Locally compile 3rd party bundles which are not available in public repository.

Some times I have seen, we may need some of the bundles latest version which are available in AEM but same version is not available in maven public repository or Adobe nexus repository. Here we will see how to get the bundle locally and compile it.

First Step -
if the third party bundle is in your local AEM server,

Getting bundle from AEM and install it in our local maven repository-

When you notice a bundle is available in AEM servers system >console >bundle, the AEM installed folder will have the same bundle in disk.

First of all you identify the bundle id from AEM system console as shown below.

Click on image to see it big

To find the same bundle in local disk, go to
AEM Installed folder\crx-quickstart\launchpad\felix\bundle<id>)

Click on image to see it big

Now copy this bundle to a location (for e.g C:)

Second Step: Next step is installing it in our local maven repository. Open the command prompt in c:

The syntax for installing the bundle in local repository is
mvn install:install-file -Dfile=<path-to-file> -DgroupId=<group-id> -DartifactId=<artifact-id> -Dversion=<version> -Dpackaging=<packaging>

Actual command used:
mvn install:install-file -Dfile=bundle.jar -DgroupId=org.apache.jackrabbit -DartifactId=jackrabbit-api -Dversion=2.18.0 -Dpackaging=jar

Now you will have the dependency bundle in your local maven repsotory and your code will compile without issues.

Tuesday 16 July 2019

AEM with GraphQL

In this post we will analyze the ways we can use AEM with GraphQL and the advantages.

GraphQL is becoming a trend setting tool to query the response now. There are some cons with traditional way of using API calls.

The difference between GraphQL and API

Usually an API response dumps all the information passed from the third party back-end. But when we use GraphQL we can just query only the required relevant there by the data transfer load is less.

AEM as back-end with GraphQL:
Here AEM Content will be exposed as an API using content/ assets API and GraphQL queries the response and send the relevant response to any third party application like REACT or Angular.

Sample use case:
In my test scenario, I had created a content fragment in AEM and exposed over an http API. I have a GraphQL layer deployed on a stand alone Node JS and this GraphQL queries the Content Fragment API for relevant information. This data was then send to REACT application for display purpose.

AEM for content display from third party system:

In this case GraphQL queries any third party system and send the relevant information to AEM.
Sample use case: I have a Facebook API to retrieve a set of information from Facebook and it was then filtered through GraphQL and then send to AEM.

What Next?
I will come up with GraphQL Setup +  AEM Integration with GraphQL in my upcoming tutorials. Keep watching this page for more.

Thursday 20 June 2019

Use of Media Handlers with AEM workflows to process Assets

In AEM projects, there are cases we may need to create pdf or png form of an html page for preview purpose. Media Handlers are a good help here. By using Media Handlers  we can process the AEM assets easily. Once configured, during asset uploads, the asset gets processed using either AEM provided handlers or command line tools.

Click on image to see it big

What is media Handlers?
They are services internal to AEM Assets that perform specific actions on assets. They work hand in hand with Workflows. The Media Handlers extract all available metadata from an asset; it has also capability of creating a thumbnail image.

Enable/ Disable

By default all the available Media Handlers are enabled. To disable them , just click on the disable button.

Go to http://localhost:4502/system/console/components to see all media handlers.

Some of the examples could be TextHandler, JpegHandler, PdfHandler etc

Read More about how to configure Media Handlers :

Below given two articles which shows how to generate image and PDF of a webpage.

AEM 6.5 - Generate Image of HTML files uploaded to DAM

AEM 6.5 - Workflow step to generate PDF of Sites page during Activation (Publish)

More Like This:

AEM 6.5 Site related new features

AEM 6.5 Specific new features in Assets section

New Features in AEM 6.5 Forms

Foundation updates in AEM 6.5 which a developer should be aware of

Cloud Manager for AEM 6.5 New features

Storage concepts in AEM 6.5   

HTML Template language updates which needs to be observed with AEM 6.5

Saturday 8 June 2019

What is Configuration Browser in AEM?

Developers follow the approach given by Adobe to work with Editable Templates, ContextHubs and Content Fragments. But many are not sure the reason behind why there needs to be configuration browser for AEM.

We have given a video explaining what is configuration browser, why it is required and if we dont create / configure it how it affects the AEM Site.

More Like This:

AEM 6.5 Site related new features

AEM 6.5 Specific new features in Assets section

New Features in AEM 6.5 Forms

Foundation updates in AEM 6.5 which a developer should be aware of

Cloud Manager for AEM 6.5 New features

Storage concepts in AEM 6.5   

HTML Template language updates which needs to be observed with AEM 6.5