OWASP Top 10 security checks

Solution: top 10 OWASP checklists

 1. Injection
2. XSS
3. CSRF
4. Insecure access to Object reference
5. Insecure cryptographic storage
6. Security misonfigurations
7. Failure to restrict URL access
8. Unvalidated redirects and forwards
9. Broken authentication and session management
10. Inefficient Transport layer protection
Reference URL:

 https://helpx.adobe.com/experience-manager/6-4/sites/administering/using/owasp-top10.html
No comments:

The CSRF Protection Framework in AEM



AEM 6.1 ships with a mechanism that helps protect agains Cross-Site Request Forgery attacks, called the CSRF Protection Framework. For more information on how to use it, consult the documentation.

The Sling Referrer Filter

To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to add configurations for the Referrer filter in order to use it.
The referrer filter service is an OSGi service that allows you to configure:
  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • and a white list of servers to be allowed in addition to the server host.
By default, all variations of localhost and the current host names the server is bound to are in the white list.
To configure the referrer filter service:
  1. - Open the Apache Felix console (Configurations) at:
       http://<server>:<port_number>/system/console/configMgr
  2. - Login as admin.
  3. - In the Configurations menu, select:
        Apache Sling Referrer Filter
  4. - In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
       ://: 
    For example:
    • http://allowed.server:80 allows all requests from this server with the given port.
    • If you also want to allow https requests, you have to enter a second line.
    • If you allow all ports from that server you can use 0 as the port number.
  5. - Check the Allow Empty field, if you want to allow empty/missing referrer headers.
    Caution:
    It is recommended to provide a referrer while using commandline tools such as cURL instead of allowing an empty value as it might expose your system to CSRF attacks.
  • Edit the methods this filter should use for checks with the Filter Methods field
  • Click Save to save your changes.
2 comments:

Changge Default OSGI setting in AEM production instances


Some OSGI settings are set by default to allow easier debugging of the application. These need to be changed on your publish and author productive instances to avoid internal information leaking to the public

For each of the following services the specified settings need to be changed:
  • Adobe Granite HTML Library Manager:
    • enable Minify (to remove CRLF and whitespace characters).
    • enable Gzip (to allow files to be gzipped and accessed with one request).
    • disable Debug
    • disable Timing
  • Day CQ WCM Debug Filter:
    • uncheck Enable
  • Day CQ WCM Filter:
    • on publish only, set WCM Mode to "disabled"
  • Apache Sling Java Script Handler:
    • disable Generate Debug Info
  • Apache Sling JSP Script Handler:
    • disable Generate Debug Info
    • disable Mapped Content

No comments:
Subscribe to: Posts (Atom)