How I found my first Adobe Experience Manager related bug.
Original Post:
We discussed this vulnerability during Episode 83 on 20 September 2021
A WAF bypass by confusing the Adobe Experience Manager Dispatcher (load balancer/waf/etc). Not a crazy idea but I don’t think we’ve covered any WAF bypass quite like this on the podcast before. The goal was to access /bin/querybuilder.json
(I’m not sure if the .json
was part of the endpoint or part of the confusing the Dispatcher) which would lead to access to the host filesystem. This was done by fuzzing the endpoint with various allowed features and parameters until the Dispatcher send the query through. Resuling in a final path along the lines of /bin/querybuilder.json.;%0aa.css?path=/etc&p.hits=full&p.limit=-1