Vulnerability Scanning
Learn how to run your first scan
Scan modes
There are 4 scan modes right now:
- Single URL
- Root Domain
- Directory Bruteforce
- Template Scan
Tools used
Here’s a detailed explanation of each component’s role in an AEM attack surface management platform:
1. Web Crawler or Spider:
- Function: Systematically explores and maps all online assets connected to your AEM environment.
- Process:
- Starts with known entry points (main AEM site URL).
- Follows links to discover deeper sections, including internal, external, and API-related links.
- Employs techniques like parameter fuzzing and sitemap analysis to uncover hidden pages.
- Builds a map of the entire AEM attack surface with details like page content, server responses, and potential vulnerabilities.
2. AEM Detector:
- Function: Identifies whether discovered assets are running AEM and their specific versions.
- Process:
- Analyzes HTML content, server headers, and JavaScript files for AEM-specific patterns.
- Sends crafted requests to trigger characteristic AEM responses.
- Uses known version-specific fingerprints to determine the exact AEM version in use.
3. HTTP Prober:
- Function: Tests discovered assets for vulnerabilities or misconfigurations by sending various HTTP requests.
- Process:
- Sends probes with different headers, methods (GET, POST, PUT, etc.), and parameters.
- Analyzes responses for error messages, server information leaks, or unexpected behaviors that could indicate vulnerabilities.
4. Subdomain Enumeration:
- Function: Discovers all subdomains associated with your primary domain that might be running AEM.
- Process:
- Leverages DNS queries, certificate transparency logs, and search engine results to identify subdomains.
- Cross-references results with known AEM patterns and runs the AEM detector on identified subdomains.
5. Directory Bruteforcing:
- Function: Attempts to access hidden or sensitive AEM directories not readily apparent through crawling.
- Process:
- Uses wordlists of common AEM directory names and file paths.
- Sends requests to each potential path and analyzes responses for success or failure.
- Identifies unauthorized content or configuration files that could be exploited.
6. AEM Vulnerability Scanning:
- Function: Scans identified AEM instances for known vulnerabilities based on CVE databases, exploit research, and vendor advisories.
- Process:
- Matches detected AEM versions with known vulnerabilities.
- Attempts to exploit vulnerabilities to confirm their presence and exploitability.
- Prioritizes vulnerabilities based on severity and potential impact.
7. Template-Based Scanner to Find 0days at Scale:
- Function: Detects potential zero-day vulnerabilities (unpatched, unknown) using pre-defined attack patterns.
- Process:
- Employs templates for common AEM vulnerabilities, such as SQL injection or cross-site scripting.
- Automatically sends crafted probes to test for vulnerabilities based on these templates.
- Flags potential 0days for further investigation and prioritization.
Together, these components provide a comprehensive understanding of your AEM attack surface, enabling proactive vulnerability management and risk mitigation.
Scan Inputs
The scan mode may contain one or more of the following inputs:
URL:
The target URL to scan (e.g. https://example.com)
Domain:
The root domain to scan (e.g. test.com)
Wordlist:
The custom wordlist to be used during directory bruteforcing, if you need a few to get start with, try the following:
User Agent:
The custom user-agent to be used during scanning, for an example:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Template:
The template to be used during scanning which can help researchers run 0days or ndays at scale using our distributed scanner:
{
"requests": {
"path": "/content/..;/crx/de/index.jsp",
"method": "GET"
},
"responses": {
"matchers-condition": "and",
"matchers": [
{
"type": "word",
"words": ["CRXDE Lite"]
},
{
"type": "status",
"status": [200]
}
]
}
}