Understanding SharePoint 2013 App Security Vulnerabilities

Download Report

Transcript Understanding SharePoint 2013 App Security Vulnerabilities 

Understanding SharePoint 2013 Add-In
Security Vulnerabilities
Scot Hillier
[email protected]
@ScotHillier
Scot Hillier
[email protected]
@ScotHillier
Apologizing in advance
Out with the old…
In with the new…
Apps for SharePoint
SharePoint Add-Ins
App Web
Add-In Web
App Part
Add-In Part
SharePoint App Model
SharePoint Add-In Model
Apps for Office
Office Add-Ins
Office App Model
Office Add-In Model
Agenda





Man-in-the-Middle
Cross Site Scripting
Click Jacking
Over Posting
Cross Site Request Forgery
Man-in-the-Middle (MITM)
 An attack where communication between endpoints is intercepted.
 Primary defense

Secure Sockets Layer (SSL)
 SharePoint add-in vulnerabilities


OAuth tokens
Sensitive data
OAuth 2.0 Office 365 Actors
Azure Web Site
(Client)
End User
(Resource Owner)
SharePoint Online
(Resource Server)
6
Azure Active Directory
(Authorization Server)
OAuth 2 Bearer Tokens
 Access Token


A token passed to the Resource Server authorizing the Client to access
resources
Short-lived
 Refresh Token



A token used to get an Access Token from the Authorization Server
Requires passing the ClientSecret
Long-lived
OAuth Tokens in Fiddler
Cross-Site Scripting (XSS)
 An attack where client-side script is injected into a page

Classically where a form is submitted and the values displayed in a
subsequent page
 Primary defenses



ASP.NET request validation
Set AntiXSS as default encoder
Use “HTTP-only” cookies
 SharePoint add-in vulnerabilities


Disabling ASP.NET request validation
JavaScript encoding
Classic XSS
<script runat="server">
protected void Button_Click(object sender, EventArgs e){
Label1.Text = TextBox1.Text;
}
</script>
<form runat="server">
<asp:TextBox id="TextBox1" runat="server"/>
<asp:Button onclick="Button_Click" runat="server"/>
</form>
<asp:Label id="Label1" runat="server"/>
ASP.NET Request Validation
 Prevents server from receiving unencoded HTML

Throws an error when unecoded HTML is detected
 Disabling request validation



ASP.NET Web Forms page <%@ Page validateRequest="false" %>
ASP.NET MVC method attribute [AllowHtml]
Application web.config <pages validateRequest="false"/>
 Encoding values in application


Classically HtmlEncode and HtmlDecode methods
Uses “black list” method to encode only certain dangerous characters
Classic Cross-Site Scripting and cookies
AntiXSS Library
 Included in ASP.NET 4.5 only encoder in ASP.NET 5
 Uses a “white list” approach based on intended use


HtmlEncode, CSSEncode, JavaScriptStringEncode, etc
Use for all external data, not just forms
 Can be set as the default for your application in web.config
<httpRuntime targetFramework="4.5"
encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web,
Version=4.0.0.0,
Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a" />
HTTP-Only Cookies
 A cookie only usable by the server

Mitigates damage when a cookie is stolen
 Set for all cookies in application in web.config
<httpCookies httpOnlyCookies="true"/>
 Create an individual cookie on the server
HttpCookie myHttpOnlyCookie = new HttpCookie();
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
Http-only cookies
Click Jacking
 An attack where a malicious div floats above the target site.


Show target site in IFRAME
Float malicious DIV above it
 Primary defense

Emit the header "X-FRAME-OPTIONS“ set to "DENY" or "SAMEORIGIN"
 SharePoint add-in vulnerabilities


Add-In Parts
General web vulnerability
X-FRAME-OPTIONS
 Prevents your content from being displayed in an IFRAME

DENY or SAMEORIGIN
 Return the header in code
HttpContext.Response.AddHeader("X-Frame-Options", "DENY");
 Add code to Global.asax for entire add-in
 Add the header to IIS for all add-ins
Click Jacking
Over Posting
 An attack where more data than required is POSTed.


User must have permissions to POST to the original source
User POSTs additional data that is contained in the data source
 Primary defense


Use ASP.NET view models with only required properties
Split SharePoint lists
 SharePoint add-in vulnerabilities


SharePoint APIs
Add-In-only privileges
Vulnerable SharePoint Lists
<FieldRef
<FieldRef
<FieldRef
<FieldRef
<FieldRef
ID="{fa564e0f-0c70-4ab9-b863-0177e6ddd247}"
ID="{4a722dd4-d406-4356-93f9-2550b8f50dd0}"
ID="{fce16b4c-fe53-4793-aaab-b4892e736d15}"
ID="{fd630629-c165-4513-b43c-fdb16b86a14d}"
ID="{b09f3922-a268-4a30-81da-6564b00745ed}"
Name="Title" />
Name="FirstName" />
Name="Email" />
Name="WorkPhone" />
Name="RaisePercentage" />
Over Posting
Cross-Site Request Forgery (CSRF)
 An attack where domain cookies are leveraged.


Link on malicious site invokes operation in your add-in
Cookies automatically posted back to the domain
 Primary defense

Implement an anti-forgery token
 SharePoint add-in vulnerabilities


APIs are protected by RequestDigest token
ASP.NET Anti-Forgery Token
Request Digest Token
executor.executeAsync({
url: appWebUrl + "/_api/web/lists/getbytitle('Employees')/items",
method: "POST",
body: requestBody,
headers: {
"content-type": "application/json",
"accept": "application/json",
"content-length": requestBody.length,
"X-RequestDigest": jQuery("#__REQUESTDIGEST").val()
}
CSRF
Agenda





Man-in-the-Middle
Cross Site Scripting
Click Jacking
Over Posting
Cross Site Request Forgery
Questions?
Thank you!