Apache Sling / AEM Security Auditor
Comprehensive Security Auditing for Apache Sling & AEM
A professional-grade security auditing tool designed for IT auditors and security professionals to identify misconfigurations, vulnerabilities, and security weaknesses in Apache Sling and Adobe Experience Manager (AEM) instances.
Developed by:
Ruben Silva | GitHub | Patreon
🚀 Quick Start
1
2
3
4
5
6
7
8
9
# Clone the repository
git clone https://github.com/Auditing-Korner/Apache-Sling-Auditor.git
cd Apache-Sling-Auditor
# Install dependencies
pip install -r requirements.txt
# Run a scan
python auditor.py -t http://target.com:4502
✨ Key Features
🔍 Multi-Mode Scanning
Quick, Full, and Stealth modes optimized for different scenarios. Choose the right mode for your security assessment needs.
⚡ High Performance
Asynchronous scanning with concurrent requests for fast results. Efficient I/O operations for maximum throughput.
🎯 CVE Detection
Automated detection of 10+ known CVEs including Log4Shell, XSS, SSRF, Path Traversal, and Information Disclosure.
💥 Active Exploitation
Generate PoCs and validate vulnerabilities with exploitation mode. Create proof-of-concept files for confirmed issues.
🔐 Brute Force Testing
Automated credential testing with configurable wordlists. Support for form-based and HTTP Basic authentication.
📊 Detailed Reporting
Rich console output and comprehensive JSON reports. Color-coded severity levels and detailed vulnerability information. HTML reports planned for future releases.
📚 Documentation
Get started with installation and setup
Run your first scan in minutes
Complete feature list and capabilities
Detailed usage instructions
Configure the auditor
Supported vulnerabilities
Exploitation capabilities
Command-line options
Usage examples and scenarios
Common issues and solutions
🎯 Use Cases
- Security Auditing: Comprehensive security assessment of Sling/AEM instances
- Penetration Testing: Active exploitation and vulnerability validation
- Compliance Checking: Automated security compliance verification
- Reconnaissance: Information gathering and enumeration
- Vulnerability Research: CVE detection and analysis
This tool is intended for security auditing and testing purposes by authorized personnel only. Always obtain explicit written permission before scanning any system.
⚠️ Known Limitations
- Reporting: Currently only JSON reports are generated. HTML and text summary reports are planned for future releases.
- Default Credentials: Default credentials from config are only tested if authentication-required paths (401/403) are detected first. Use
1
-u
1
-p
- Memory Usage: Large wordlists are loaded entirely into memory. Consider using smaller wordlists or reducing thread count for very large enumerations.
- Configuration: Some configuration sections must exist in
1
config/audit_config.yaml
📦 Installation
1
2
3
4
5
6
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: .\venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
🔧 Basic Usage
1
2
3
4
5
6
7
8
9
10
11
# Full scan
python auditor.py -t http://target.com:4502
# Quick scan
python auditor.py -t http://target.com:4502 --mode quick
# With exploitation
python auditor.py -t http://target.com:4502 --exploit
# Brute force testing
python auditor.py -t http://target.com:4502 --brute-force
📈 Statistics
🤝 Contributing
Contributions are welcome! See the Contributing Guide for details.
📄 License
This project is licensed under the GPL-3.0 License - see the LICENSE file for details.
👤 Author
Ruben Silva
- LinkedIn: https://www.linkedin.com/in/ruben-silva85/
- GitHub: Auditing-Korner
- Patreon: https://www.patreon.com/cw/rfs85 - Support cybersecurity research and get exclusive content