Scan modes
There are 4 scan modes right now:- Single URL
- Root Domain
- Directory Bruteforce
- Template Scan
We are currently planning to add more scan modes down the track
Tools used
Here’s a detailed explanation of each component’s role in an AEM attack surface management platform: 1. Web Crawler or Spider:- Function: Systematically explores and maps all online assets connected to your AEM environment.
- Process:
- Starts with known entry points (main AEM site URL).
- Follows links to discover deeper sections, including internal, external, and API-related links.
- Employs techniques like parameter fuzzing and sitemap analysis to uncover hidden pages.
- Builds a map of the entire AEM attack surface with details like page content, server responses, and potential vulnerabilities.
- Function: Identifies whether discovered assets are running AEM and their specific versions.
- Process:
- Analyzes HTML content, server headers, and JavaScript files for AEM-specific patterns.
- Sends crafted requests to trigger characteristic AEM responses.
- Uses known version-specific fingerprints to determine the exact AEM version in use.
- Function: Tests discovered assets for vulnerabilities or misconfigurations by sending various HTTP requests.
- Process:
- Sends probes with different headers, methods (GET, POST, PUT, etc.), and parameters.
- Analyzes responses for error messages, server information leaks, or unexpected behaviors that could indicate vulnerabilities.
- Function: Discovers all subdomains associated with your primary domain that might be running AEM.
- Process:
- Leverages DNS queries, certificate transparency logs, and search engine results to identify subdomains.
- Cross-references results with known AEM patterns and runs the AEM detector on identified subdomains.
- Function: Attempts to access hidden or sensitive AEM directories not readily apparent through crawling.
- Process:
- Uses wordlists of common AEM directory names and file paths.
- Sends requests to each potential path and analyzes responses for success or failure.
- Identifies unauthorized content or configuration files that could be exploited.
- Function: Scans identified AEM instances for known vulnerabilities based on CVE databases, exploit research, and vendor advisories.
- Process:
- Matches detected AEM versions with known vulnerabilities.
- Attempts to exploit vulnerabilities to confirm their presence and exploitability.
- Prioritizes vulnerabilities based on severity and potential impact.
- Function: Detects potential zero-day vulnerabilities (unpatched, unknown) using pre-defined attack patterns.
- Process:
- Employs templates for common AEM vulnerabilities, such as SQL injection or cross-site scripting.
- Automatically sends crafted probes to test for vulnerabilities based on these templates.
- Flags potential 0days for further investigation and prioritization.