Tuesday, 24 September 2019

Access AEM servlet in postman

When you make a POST request to your local AEM author instance, the request will be filtered and restricted by "Apache Sling Referrer Filter" and "Adobe Granite CSRF Filter". Incoming POST requests without the CSRF-Token in the header will be blocked by "Apache Sling Referrer Filter" and "Adobe Granite CSRF Filter".

Steps to configure:

  • Navigate to ConfigMgr
  • Search for 'Apache Sling Referrer Filter'
  • Remove POST method from the filter.
  • Check "Allow Empty" checkbox and click on Save.

  • Search for "Adobe Granite CSRF Filter"
  • Remove POST method from the filter.
  • click on Save.

Click here to download postman and install.

Open Postman app and do the following steps.
  • Select method as POST
  • Enter AEM servlet URL.
  • Navigate to "Authorization" tab and enter username and password.
  • Enter required "Headers"

  • Enter request in the body tab and hit Send button.

XSS Protection for AEM Servlets:

Add XSS protection in AEM servlets using Apache Sling XSSAPI to avoid any scripts tag injected into request. This avoid any penetration issues.

import org.apache.sling.xss.XSSAPI; 
import org.apache.sling.api.SlingHttpServletRequest; 

XSSAPI xssapi = slingHttpServletRequestObj.adaptTo(XSSAPI.class); 
  String encodedAttr = xssapi.encodeForHTMLAttr(someUnsafeValue);

Default XSS configuration in AEM is available at /libs/cq/xssprotection/config.xml

No comments :

Post a comment