AEM Dispatcher Security Scan

A commandline tool to perfom an active security scan against a AEM Dispatcher.

This tool tries to unify all known security relevant AEM Dispatcher URLs from the internet.

If you know some more URLs, please open a Github issue to report them.

Usage

$ ./scan.py --help

Usage: scan.py [OPTIONS]

    Commandline interface for AEM Dispatcher Security Scan

Options:
    --website-url TEXT        Set URL of website e.g. http://www.adobe.com [required]
    --website-page-path TEXT  Set path of website page e.g. /content/geometrixx/en
    --timeout FLOAT           Set timeout for http requests in secs e.g. 1.5 or 5
    --verbose                 Enable verbose logging output
    --help                    Show this message and exit.

Installation

Tested with Python 3.12.x on Ubuntu 22.04

If you encounter issues with 3.12.x patch versions of Python, please open a Github issue.

Install needed requirements

make requirements

Run tool from commandline

$ ./scan.py

Docker

Build Docker image

$ make build

Run Docker container from built image

$ docker run scan

Run Docker container from built image with arguments

$ docker run scan \
    --website-url "http://www.adobe.com"
    --website-page-path "/content/geometrixx/en"
    --verbose

Dependencies

• click
• requests

References

• docs.adobe.com
• 0ang3el/aem-hacker
• emadshanab/Adobe-Experience-Manager
• danielmiessler/seclists
• aem-design/ansible-role-aem-security-test
• cognifide/securecq
• perficientdigital.com
• infosecinstitute.com

License

MIT