security testing with securecq
TRANSCRIPT
Security testing with SecureCQ
Tomasz Rękawek
Cognifide
Security challenges
• CQ exposes a lot of data – Sling itself is a RESTful HTTP XML/JSON (or WebDAV) interface
to JCR – CQ has additional features, available using appropriate selector,
GET parameter, path, eg.: • .feed selector • ?debug=layout • /libs/shindig/proxy?url=http://www.cqcon.eu in CQ 5.4
• All that is enabled by default • For administrator each feature is a potential security flaw • Administrator needs to know all of that • Security checklists and blog posts come in handy • SecureCQ – automated tool based on security checklists
Live demo
Downloads
• Package Share
– One-click-install
• http://github.com/Cognifide/SecureCQ
– Sources
– Information on creating new tests
• Blog post on cognifide.com:
Keep your CMS safe with Secure CQ