├── .gitignore ├── .travis.settings.xml ├── .travis.yml ├── BappManifest.bmf ├── LICENSE ├── README.md ├── pom.xml ├── release.sh └── src └── main └── java └── burp ├── BurpExtender.java ├── BurpHelperDto.java ├── Confidence.java ├── ScanIssue.java ├── Severity.java ├── actions ├── AbstractDetector.java ├── SecurityCheck.java ├── SecurityCheckExecutorService.java ├── WithHttpRequests.java ├── accesscontrol │ ├── DefaultLoginWithLoginPagePossible.java │ └── WriteAccessPossible.java ├── crx │ └── CrxExposedDetector.java ├── dispatcher │ ├── DispatcherConfigVulnerability.java │ ├── FelixSystemConsoleExposed.java │ ├── GQLServletExposed.java │ ├── GetServletExposed.java │ ├── LoginStatusServletExposed.java │ ├── PostServletExposed.java │ ├── QueryBuilderExposed.java │ └── XSSinSWFDetector.java ├── http │ ├── GetRequest.java │ ├── HttpMethod.java │ ├── PostRequest.java │ └── ResponseHolder.java ├── misconfiguration │ ├── AuditServletDetector.java │ ├── DebugFilterDetector.java │ ├── MetaDataLeakageCheckCallable.java │ └── WcmSuggestionServletDetector.java └── xss │ └── FlippingTypeWithChildrenlistSelector.java ├── payload ├── AEMPath.java ├── DefaultCredential.java └── FilterEvasion.java ├── ui ├── AEMSecurityAnalysisMenu.java └── GenericCheckActionListener.java └── util ├── BurpHttpRequest.java ├── WithComparator.java └── WithIssueBuilder.java /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/.gitignore -------------------------------------------------------------------------------- /.travis.settings.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/.travis.settings.xml -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/.travis.yml -------------------------------------------------------------------------------- /BappManifest.bmf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/BappManifest.bmf -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/README.md -------------------------------------------------------------------------------- /pom.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/pom.xml -------------------------------------------------------------------------------- /release.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/release.sh -------------------------------------------------------------------------------- /src/main/java/burp/BurpExtender.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/BurpExtender.java -------------------------------------------------------------------------------- /src/main/java/burp/BurpHelperDto.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/BurpHelperDto.java -------------------------------------------------------------------------------- /src/main/java/burp/Confidence.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/Confidence.java -------------------------------------------------------------------------------- /src/main/java/burp/ScanIssue.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/ScanIssue.java -------------------------------------------------------------------------------- /src/main/java/burp/Severity.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/Severity.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/AbstractDetector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/AbstractDetector.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/SecurityCheck.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/SecurityCheck.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/SecurityCheckExecutorService.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/SecurityCheckExecutorService.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/WithHttpRequests.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/WithHttpRequests.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/accesscontrol/DefaultLoginWithLoginPagePossible.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/accesscontrol/DefaultLoginWithLoginPagePossible.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/accesscontrol/WriteAccessPossible.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/accesscontrol/WriteAccessPossible.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/crx/CrxExposedDetector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/crx/CrxExposedDetector.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/DispatcherConfigVulnerability.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/DispatcherConfigVulnerability.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/FelixSystemConsoleExposed.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/FelixSystemConsoleExposed.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/GQLServletExposed.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/GQLServletExposed.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/GetServletExposed.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/GetServletExposed.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/LoginStatusServletExposed.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/LoginStatusServletExposed.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/PostServletExposed.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/PostServletExposed.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/QueryBuilderExposed.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/dispatcher/XSSinSWFDetector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/dispatcher/XSSinSWFDetector.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/http/GetRequest.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/http/GetRequest.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/http/HttpMethod.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/http/HttpMethod.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/http/PostRequest.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/http/PostRequest.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/http/ResponseHolder.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/http/ResponseHolder.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/misconfiguration/AuditServletDetector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/misconfiguration/AuditServletDetector.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/misconfiguration/DebugFilterDetector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/misconfiguration/DebugFilterDetector.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/misconfiguration/MetaDataLeakageCheckCallable.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/misconfiguration/MetaDataLeakageCheckCallable.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/misconfiguration/WcmSuggestionServletDetector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/misconfiguration/WcmSuggestionServletDetector.java -------------------------------------------------------------------------------- /src/main/java/burp/actions/xss/FlippingTypeWithChildrenlistSelector.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/actions/xss/FlippingTypeWithChildrenlistSelector.java -------------------------------------------------------------------------------- /src/main/java/burp/payload/AEMPath.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/payload/AEMPath.java -------------------------------------------------------------------------------- /src/main/java/burp/payload/DefaultCredential.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/payload/DefaultCredential.java -------------------------------------------------------------------------------- /src/main/java/burp/payload/FilterEvasion.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/payload/FilterEvasion.java -------------------------------------------------------------------------------- /src/main/java/burp/ui/AEMSecurityAnalysisMenu.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/ui/AEMSecurityAnalysisMenu.java -------------------------------------------------------------------------------- /src/main/java/burp/ui/GenericCheckActionListener.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/ui/GenericCheckActionListener.java -------------------------------------------------------------------------------- /src/main/java/burp/util/BurpHttpRequest.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/util/BurpHttpRequest.java -------------------------------------------------------------------------------- /src/main/java/burp/util/WithComparator.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/util/WithComparator.java -------------------------------------------------------------------------------- /src/main/java/burp/util/WithIssueBuilder.java: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/thomashartm/burp-aem-scanner/HEAD/src/main/java/burp/util/WithIssueBuilder.java --------------------------------------------------------------------------------