Advanced Adobe Experience Manager (AEM) Penetration Testing
A comprehensive guide to security testing AEM deployments with automation tools and advanced techniques
📋 Table of Contents
🎯 Introduction
Adobe Experience Manager (AEM) is a leading enterprise-grade content management system that empowers organizations to build and deliver personalized digital experiences. As with any complex software, AEM deployments can present a significant attack surface if not properly secured.
This comprehensive guide provides advanced techniques for penetration testing AEM instances, covering everything from basic fingerprinting to automated vulnerability discovery. We'll explore the latest tools, techniques, and automation scripts that security professionals need to effectively assess AEM security.
🔍 What You'll Learn:
- Advanced AEM fingerprinting techniques
- Common misconfigurations and vulnerabilities
- Dispatcher bypass methods
- Automated testing with custom Python scripts
- Integration with Nuclei and other security tools
- Comprehensive reporting and remediation strategies
🔍 AEM Fingerprinting
The first step in any AEM penetration test is proper fingerprinting to confirm the presence of an AEM installation and gather initial intelligence.
HTTP Header Analysis
Quick Indicators
/etc.clientlibs/static path present (returns JS/CSS)/libs/granite/core/content/login.htmllogin page with "Adobe Experience Manager" banner</script><!--/* CQ */-->comment at the bottom of HTML
💡 Pro Tip: Always check multiple indicators as some may be filtered or modified by security controls.
🎯 High-Value Unauthenticated Endpoints
AEM exposes numerous endpoints that can provide valuable information or attack vectors. Here are the most critical ones to test:
| Path | What You Get | Notes |
|---|---|---|
/.json, /.1.json |
JCR nodes via DefaultGetServlet | Often blocked, but Dispatcher bypass works |
/bin/querybuilder.json?path=/ |
QueryBuilder API | Leak of page tree, internal paths, user names |
/system/console/bundles |
OSGi/Felix console | 403 by default; if exposed & creds found ⇒ RCE |
/crx/packmgr/index.jsp |
Package Manager | Allows authenticated content packages → JSP upload |
/etc/groovyconsole/** |
AEM Groovy Console | If exposed → arbitrary Groovy/Java execution |
🚨 Dispatcher Bypass Technique
Most production sites sit behind the Dispatcher (reverse-proxy). Its filter rules can be bypassed by appending an allowed static extension after a semicolon or encoded newline:
⚠️ Critical Finding
A single request like above frequently discloses user profile nodes with email addresses, representing a significant information disclosure vulnerability.
⚙️ Common Misconfigurations (Still Alive in 2025)
1. Anonymous POST Servlet
POST /.json with :operation=import lets you plant new JCR nodes. Blocking *.json POST in the Dispatcher fixes it.
2. World-Readable User Profiles
Default ACL grants jcr:read on /home/users/**/profile/* to everyone.
3. Default Credentials
Common combinations: admin:admin, author:author, replication:replication
4. WCMDebugFilter Enabled
Reflected XSS via ?debug=layout (CVE-2016-7882, still found on legacy 6.4 installs)
5. Groovy Console Exposed
Remote code execution by sending a Groovy script:
🔥 Recent Vulnerabilities (Service-Pack Cadence)
| Quarter | CVE | Affected | Impact |
|---|---|---|---|
| Dec 2024 | CVE-2024-43711 | 6.5.21 and earlier | Improper input validation → Arbitrary code execution |
| Dec 2024 | CVE-2024-43724/26 | 6.5.21 and earlier | DOM / Stored XSS in Move Page Wizard |
| Dec 2023 | CVE-2023-48452/68 | ≤ 6.5.18 | DOM-based XSS via crafted URL |
| Dec 2022 | CVE-2022-30683 | ≤ 6.5.13 | Crypto design flaw → secret decryption |
⚠️ Important: Always check the APSB bulletin matching the customer's service-pack and request the latest 6.5.22 or Cloud Service 2024.11.
💥 Exploitation Techniques
RCE via Dispatcher Bypass + JSP Upload
If anonymous write is possible:
Now request /content/evil.jsp – the JSP runs with the AEM process user.
SSRF to RCE (Historical < 6.3)
🛠️ Advanced Tooling
🎯 Hopgoblin - AEM Scanner by Assetnote
hopgoblin is a specialized scanner for Adobe Experience Manager instances developed by Assetnote. It automates checks frequently performed during security assessments.
Key Features:
- Detects exposed QueryBuilder endpoints
- Enumerates rep:User objects and leaked password hashes
- Identifies writable JCR nodes
- SSRF via /services/accesstoken/verify
- Blind XXE in Jackrabbit package manager
- Expression Language (EL) injection detection
Installation & Usage:
git clone https://github.com/assetnote/hopgoblin.git
cd hopgoblin
pip install -r requirements.txt
# Single target
python hopgoblin.py https://aem-target.example
# Multiple targets with proxy
python hopgoblin.py -f targets.txt --proxy http://127.0.0.1:8080 --threads 25
🏆 Recent Discoveries: Assetnote discovered 7 new CVEs in 2025: CVE-2025-54251, CVE-2025-54249, CVE-2025-54252, CVE-2025-54250, CVE-2025-54247, CVE-2025-54248, CVE-2025-54246
⚡ Classic AEM-Hacker
Swiss-army enumeration script supporting dispatcher bypass, SSRF detection, and default credential checks:
python3 aem_hacker.py -u https://target --host attacker-ip
🤖 All-in-One Python Automation Script
I've developed a comprehensive Python automation script that combines multiple testing techniques into a single tool. This script provides:
🚀 Script Features:
- Automated AEM Fingerprinting: Detects AEM installations and versions
- Endpoint Enumeration: Tests for accessible AEM-specific endpoints
- Dispatcher Bypass Testing: Attempts to bypass security controls
- Default Credentials Testing: Tests common credential combinations
- Groovy Console Detection: Identifies exposed consoles
- Nuclei Integration: Runs AEM-specific templates
- Nmap Integration: Performs port scanning
- Comprehensive Reporting: Generates JSON and HTML reports
- Multi-threading: Supports concurrent testing
- Proxy Support: Compatible with Burp Suite
Usage Examples:
# Basic usage
python3 aem_pentest_automation.py https://target-aem.com
# Advanced usage with custom settings
python3 aem_pentest_automation.py https://target-aem.com -o custom_results -t 20
# With proxy support for Burp Suite integration
python3 aem_pentest_automation.py https://target-aem.com -p http://127.0.0.1:8080
# Skip external tool scans
python3 aem_pentest_automation.py https://target-aem.com --no-nuclei --no-nmap
📥 Download the Complete Automation Package
Get the full AEM penetration testing automation script with documentation and examples.
Download Python Script
View Documentation
GitHub Repository
⚡ Nuclei Templates for AEM
The Nuclei project maintains an extensive collection of AEM vulnerability detection templates. These templates automate the detection of common misconfigurations and security issues.
Key Template Categories:
🔍 Information Disclosure Templates:
- aem-querybuilder-json-servlet.yaml
- aem-security-users.yaml
- aem-userinfo-servlet.yaml
- aem-disk-usage.yaml
⚠️ Authentication & Authorization:
- aem-default-get-servlet.yaml
- aem-login-status.yaml
- aem-crx-bypass.yaml
💥 Code Execution Templates:
- aem-groovyconsole.yaml
- aem-custom-script.yaml
- aem-osgi-bundles.yaml
Usage with Nuclei:
# Basic AEM scan
nuclei -t /path/to/nuclei-templates/misconfiguration/aem/ -u https://target-aem.com
# Specific template
nuclei -t aem-groovyconsole.yaml -u https://target-aem.com
# Multiple targets
nuclei -t /path/to/nuclei-templates/misconfiguration/aem/ -l targets.txt
# With custom headers
nuclei -t /path/to/nuclei-templates/misconfiguration/aem/ -u https://target-aem.com -H "User-Agent: Custom-Scanner"
🛡️ Hardening Recommendations
Based on the vulnerabilities and misconfigurations identified, here are the essential hardening recommendations:
🔒 Critical Security Measures:
- Keep Updated: Maintain the latest cumulative service pack (6.5.22 as of 2025)
- Credential Management: Remove/rotate default accounts; enforce SSO/SAML
- Dispatcher Security: Tighten filters – deny semicolons, encoded newlines, and *.json for anonymous users
- Console Protection: Disable or protect consoles (/system/console, /crx/*, /etc/groovyconsole) with IP allow-lists
- Permission Hardening: Apply Adobe's Anonymous Permission Hardening package
- Input Validation: Implement proper input validation and output encoding
- Monitoring: Enable comprehensive logging and monitoring
- Regular Assessments: Conduct periodic security assessments
⚠️ Priority Actions: If you discover default credentials, Dispatcher bypasses, or exposed Groovy consoles, address these immediately as they represent critical security risks.
🎯 Conclusion
Penetration testing of Adobe Experience Manager requires a multifaceted approach that combines manual testing with automated scanning. The tools and techniques outlined in this guide provide a comprehensive framework for identifying and mitigating AEM security vulnerabilities.
Key takeaways from this guide:
- Automation is Essential: Use tools like hopgoblin, Nuclei templates, and custom scripts to scale your testing
- Dispatcher Bypass is Critical: Always test for dispatcher bypass techniques as they're commonly overlooked
- Default Credentials Persist: Many organizations still use default credentials in production
- Regular Updates Matter: Stay current with Adobe security bulletins and service packs
- Comprehensive Reporting: Document findings thoroughly with clear remediation guidance
🔗 Additional Resources:
Comments
Post a Comment