15 Replies Latest reply on Dec 8, 2018 5:54 PM by josiahh94050133

    Dispatcher and Sling Servlet ignores POST configuration

    josiahh39572999

      Hello.

       

      When sending POST requests to content URLs in our production environment (AEM 6.3.3.1), I'm able to receive a 200 status response to the client.

      This is despite the fact that I have the following rule in my dispatcher /filter configuration:

       

      /0001 { /type "deny" /method "POST" /url "/content/*" }

       

      I've also configured author and publish instances using the AEM security checklist (this environment is using production run modes with many development configurations disabled).

       

      If I remove the .html extension in the POST, I receive a 403 status code response. So, I surmise that the 200 response is resulting from the way a Sling POST Servlet handles and delegates request processing to the default HTML rendering script(s).

       

      After examining numerous configurations for request handling (referrer filter, default servlets, sling authentication handlers, etc.), I have yet to derive the reason as to why these POSTs are returning a 200. Ideally, if the POSTs are blocked, we should see the correct HTTP status code.

       

      Is there something about the way Sling handles requests that I'm missing?

       

      Are there any Adobe (or Apache Software Foundation) recommended pen testing tools for validating my dispatcher configuration?

       

       

      Please advise.