OWASP Top 10
- Topics:
- Administering
CREATED FOR:
- Admin
The Open Web Application Security Project (OWASP) maintains a list of what they regard as the Top 10 Web Application Security Risks.
These are listed below, together with an explanation of how CRX deals with them.
1. Injection
- SQL - Prevented by design: The default repository setup neither includes nor requires a traditional database, all data is stored in the content repository. All access is limited to authenticated users and can only be performed through the JCR API. SQL is supported for search queries only (SELECT). Furthemore SQL offers value binding support.
- LDAP - LDAP injection is not possible, since the authentication module filters the input and performs the user import using the bind method.
- OS - There is no shell execution performed from within the application.
2. Cross-Site Scripting (XSS)
The general mitigation practice is to encode all output of user-generated content using a server-side XSS protection library based on OWASP Encoder and AntiSamy.
XSS is a top priority during both testing and development, and any issues found are (typically) resolved immediately.
3. Broken Authentication and Session Management
AEM uses sound and proven authentication techniques, relying on Apache Jackrabbit and Apache Sling. Browser/HTTP Sessions are not used in AEM.
4. Insecure Direct Object References
All access to data objects is mediated by the repository and therefore restricted by role based access control.
5. Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) is mitigated by automatically injecting a cryptographic token into all forms and AJAX requests and verifying this token on the server for every POST.
In addition, AEM ships with a referrer-header based filter, which can be configured to only allow POST requests from specific hosts (defined in a list).
6. Security Misconfiguration
It is impossible to guarantee that all software is always correctly configured. However, we strive to provide as much guidance as possible and make configuration as simple as possible. Furthermore, AEM ships with integrated Security Healthchecks that help you monitor security configuration at a glance.
Please review the Security Checklist for more information which provides you with step by step hardening instructions.
7. Insecure Cryptographic Storage
Passwords are stored as cryptographic hashes in the user node; by default such nodes are only readable by the administrator and the user himself.
Sensitive data such as third-party credentials are stored in encrypted form using a FIPS 140-2 certified cryptographic library.
8. Failure to Restrict URL Access
The repository allows the setting of finely-grained privileges (as specified by JCR) for any given user or group at any given path, through access control entries. Access restrictions are enforced by the repository.
9. Insufficient Transport Layer Protection
Mitigated by server configuration (e.g. use HTTPS only).
10. Unvalidated Redirects and Forwards
Mitigated by restricting all redirects to user-supplied destinations to internal locations.
Experience Manager
- Administering User Guide overview
- Sites Features
- Website Administration
- Reusing Content: Multi Site Manager and Live Copy
- Live Copy Overview Console
- Configuring Live Copy Synchronization
- Creating and Synchronizing Live Copies
- MSM Rollout Conflicts
- MSM Best Practices
- Translating Content for Multilingual Sites
- Managing Translation Projects
- Identifying Content to Translate
- Preparing Content for Translation
- Creating a Language Root Using the Classic UI
- Connecting to Microsoft Translator
- Configuring the Translation Integration Framework
- Language Copy Wizard
- Translation Enhancements
- Translation Best Practices
- Configurations and the Configuration Browser
- AEM FAQs
- Operations
- Dashboards
- Operations Dashboard
- Backup and Restore
- Data Store Garbage Collection
- Monitoring Server Resources Using the JMX Console
- Working with Logs
- Configure the Rich Text Editor
- Configure the Video component
- The Bulk Editor
- Configuring Email Notification
- Configuring RTE for Producing Accessible Sites
- The Link Checker
- Troubleshooting AEM
- Audit Log Maintenance in AEM 6
- Editor
- Managing Access to Workflows
- Using cURL with AEM
- Configuring Undo for Page Editing
- Proxy Server Tool (proxy.jar)
- Configuring for AEM Apps
- Administering Workflows
- Configuring Search Forms
- Tools Consoles
- Reporting
- Administering Workflow Instances
- Configuring Layout Container and Layout Mode
- Enabling Access to Classic UI
- Starting Workflows
- Configure the Rich Text Editor plug-ins
- Admin Consoles
- Security
- User Administration and Security
- User, Group and Access Rights Administration
- Security Checklist
- OWASP Top 10
- Running AEM in Production Ready Mode
- Identity Management
- Adobe IMS Authentication and Admin Console Support for AEM Managed Services
- Creating a Closed User Group
- Mitigating serialization issues in AEM
- User Synchronization
- Encapsulated Token Support
- Single Sign On
- How to Audit User Management Operations in AEM
- SSL By Default
- SAML 2.0 Authentication Handler
- Closed User Groups in AEM
- Granite Operations - User and Group Administration
- Enabling CRXDE Lite in AEM
- Configuring LDAP with AEM 6
- Configure the Admin Password on Installation
- Service Users in AEM
- Encryption Support for Configuration Properties
- Handling GDPR Requests for the AEM Foundation
- Content Disposition Filter
- Personalization
- eCommerce
- Integration
- Integrating with Third-Party Services
- Integrating with Salesforce
- Integrating with Adobe Target
- Integrating with Adobe Analytics
- Connecting to Adobe Analytics and Creating Frameworks
- Configuring Link Tracking for Adobe Analytics
- Mapping Component Data with Adobe Analytics Properties
- Configuring Video Tracking for Adobe Analytics
- HTTP2 Delivery of Content FAQ
- Troubleshooting your Adobe Campaign Integration
- SharePoint Connector Licenses, Copyright Notices, and Disclaimers
- SharePoint Connector
- DHTML Viewer End-of-Life FAQs
- Integrating with Adobe Campaign Classic
- Related Community Articles
- Integrating with Adobe Campaign Standard
- Flash Viewers End-of-Life Notice
- Integrating with Adobe Creative Cloud
- Integrating with Adobe Dynamic Tag Management
- Opting Into Adobe Analytics and Adobe Target
- AEM Portals and Portlets
- Integrating with Dynamic Media Classic
- Troubleshooting Integration Issues
- Integrating with BrightEdge Content Optimizer
- Best Practices for Email Templates
- Catalog Producer
- Integrating with Silverpop Engage
- Integrating with Adobe Campaign
- Integrating with ExactTarget
- Analytics with External Providers
- Integrating with the Adobe Marketing Cloud
- Manually Configuring the Integration with Adobe Target
- Prerequisites for Integrating with Adobe Target
- Adobe Classifications
- Solutions Integration
- Target Integration with Experience Fragments
- Best Practices
- Content Management