GithubHelp home page GithubHelp logo

thomashartm / burp-aem-scanner Goto Github PK

View Code? Open in Web Editor NEW
73.0 3.0 11.0 881 KB

Burp Scanner extension to fingerprint and actively scan instances of the Adobe Experience Manager CMS. It checks the website for common misconfigurations and security holes.

License: GNU General Public License v3.0

Java 97.67% Shell 2.33%
burp-extensions burp security-audit security-automation java aem adobe-experience-manager dispatcher burp-plugin

burp-aem-scanner's Introduction

Burp AEM Security Scanner Extension

Build Status

Burp AEM Security Scanner is an AEM focussed plugin which supports the evaluation of well known misconfigurations of AEM installations. It supports the verification of a number of Adobe's security checklist topics and evaluates typical AEM and Dispatcher misconfigurations.

What is AEM

AEM is an enterprise grade content management system used by a variety of high profile companies. AEM is a powerful but complex system and requires thoughtful handling of defaults and configurations. Therefore it leaves room for plenty of security bugs.

Installation Requirements

Burp Community is sufficient as the extension does not require the active or passive scanner.

How to use

Select one or multiple pages from within the Target sitemap. Then click on the relevant security check categories which you are planning to execute.

The scanner extension will use the selected URLs and pass them to the checks. Each check is self contained and will decide what to use from the provided URL, e.g. just the host and port e.g. to use it as a base to build the CRX or Felix Console URLs and to test dispatcher bypasses for them or the complete URL e.g. to verify if the particular page is vulnerable for enumeration.

AEM Actions Menu

The security checks will be executed by a thread pool in the background to check progress, please look into the extender output.

Why doesn't it use active scanner?

First of all because I want to make the checks available for everyone. Additionally and that is personally my major concern, the Burp extender API does not allow to trigger "one execution per host" checks e.g. to test for the existence of CRX and other resources, with the result of many unnecessary requests. Therefore I decided to manually trigger those scans.

How to build and develop

The extension is written in java. Please use maven >= 3.3.9 to build it. Execute the maven build in the root of the package.

mvn clean package

The compiled and deployable artifact is located in the target directory. To debug the extension, open burp via commandline with remote debugging enabled.

java -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005 -jar burpsuite_pro.jar

How to install

Build the project. Then open Burp extender and select the compiled and assembled JAR. The extender will automatically register the scanner menu including all actions. Click a specific action to activate the detection for the provided URL.

Only the selected URLs will be used as a base for the respective scan.

Contributions

If you have suggestions and ideas for improvement feel free to contact me or just raise a pull request. I'm happy to discuss it.

Credits

It is based on Adobe's AEM/Dispatcher security checklist and implements many of the checks discovered and highlighted by Mikhail Egorov [email protected] https://github.com/0ang3el/aem-hacker/blob/master/aem_hacker.py

burp-aem-scanner's People

Contributors

dependabot[bot] avatar thomashartm avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar

burp-aem-scanner's Issues

Refactor burp integration approach

Currently burp does not allow to run certain checks for unique URLs once. It rather repeats the whole set of scans for each URL which basically creates tons of useless requests.

Switching to a UI integrated approach does the trick but is not very pleasant as well.
I would rather prefer to have a set of intruder payloads which are hammering the system and the various checks are executed then in the background

Introduce pickaxe as underlying scanning framework

Scan engine should switch to pickaxe using a modular approach.
Pickaxe could be used as a dependency to configure the actual scans, while the execution of scans is then handled through burps HTTP stack
It requires basically two tasks

  • PR for pickaxe to factor out the http client
  • custom http client integration and reporter for this plugin
  • improved UI and reporting which allows customizations and external loading of checks

Switch architecture to an intruder based approach

The overall architecture should be rather intruder based then scanner based.
The main painpoint is that a scanner intregration does not really work as it would issue payloads such as checks for distinct paths such as crx on all pages.
That does not make any sense.

It is more useful to issue those paths to a defined base URL. Internally Burp intruder provides those capabilities.
Additionally a number of scriptable exploits can be integrated through a UI (e.g. to work with resourceType based vulnerabilities)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.