understanding sharepoint 2013 add-in security vulnerabilities scot hillier [email protected]...
TRANSCRIPT
Scot [email protected]@ScotHillier
Apologizing in advance
Out with the old… In with the new…
Apps for SharePoint SharePoint Add-Ins
App Web Add-In Web
App Part Add-In Part
SharePoint App Model SharePoint Add-In Model
Apps for Office Office Add-Ins
Office App Model Office Add-In Model
Agenda
Man-in-the-Middle Cross Site Scripting Click Jacking Over Posting Cross Site Request Forgery
Man-in-the-Middle (MITM)
An attack where communication between endpoints is intercepted. Primary defense
Secure Sockets Layer (SSL) SharePoint add-in vulnerabilities
OAuth tokens Sensitive data
OAuth 2.0 Office 365 Actors
6
End User(Resource Owner)
Azure Active Directory(Authorization Server)
Azure Web Site(Client)
SharePoint Online(Resource Server)
OAuth 2 Bearer Tokens
Access Token A token passed to the Resource Server authorizing the
Client to access resources Short-lived
Refresh Token A token used to get an Access Token from the Authorization
Server Requires passing the ClientSecret Long-lived
OAuth Tokens in Fiddler
Cross-Site Scripting (XSS) An attack where client-side script is injected into a page
Classically where a form is submitted and the values displayed in a subsequent page
Primary defenses ASP.NET request validation Set AntiXSS as default encoder Use “HTTP-only” cookies
SharePoint add-in vulnerabilities Disabling ASP.NET request validation JavaScript encoding
Classic XSS<script runat="server"> protected void Button_Click(object sender, EventArgs e){ Label1.Text = TextBox1.Text; }</script> <form runat="server"> <asp:TextBox id="TextBox1" runat="server"/> <asp:Button onclick="Button_Click" runat="server"/></form><asp:Label id="Label1" runat="server"/>
ASP.NET Request Validation
Prevents server from receiving unencoded HTML Throws an error when unecoded HTML is detected
Disabling request validation ASP.NET Web Forms page <%@ Page
validateRequest="false" %> ASP.NET MVC method attribute [AllowHtml] Application web.config <pages
validateRequest="false"/> Encoding values in application
Classically HtmlEncode and HtmlDecode methods Uses “black list” method to encode only certain dangerous
characters
Classic Cross-Site Scripting and cookies
AntiXSS Library
Included in ASP.NET 4.5 only encoder in ASP.NET 5 Uses a “white list” approach based on intended use
HtmlEncode, CSSEncode, JavaScriptStringEncode, etc Use for all external data, not just forms
Can be set as the default for your application in web.config
<httpRuntime targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
HTTP-Only Cookies
A cookie only usable by the server Mitigates damage when a cookie is stolen
Set for all cookies in application in web.config
Create an individual cookie on the server<httpCookies httpOnlyCookies="true"/>
HttpCookie myHttpOnlyCookie = new HttpCookie();myHttpOnlyCookie.HttpOnly = true; myHttpOnlyCookie.Name = "MyHttpOnlyCookie"; Response.AppendCookie(myHttpOnlyCookie);
Http-only cookies
Click Jacking
An attack where a malicious div floats above the target site. Show target site in IFRAME Float malicious DIV above it
Primary defense Emit the header "X-FRAME-OPTIONS“ set to "DENY" or
"SAMEORIGIN" SharePoint add-in vulnerabilities
Add-In Parts General web vulnerability
X-FRAME-OPTIONS
Prevents your content from being displayed in an IFRAME DENY or SAMEORIGIN
Return the header in code
Add code to Global.asax for entire add-in Add the header to IIS for all add-ins
HttpContext.Response.AddHeader("X-Frame-Options", "DENY");
Click Jacking
Over Posting
An attack where more data than required is POSTed. User must have permissions to POST to the original source User POSTs additional data that is contained in the data
source Primary defense
Use ASP.NET view models with only required properties Split SharePoint lists
SharePoint add-in vulnerabilities SharePoint APIs Add-In-only privileges
Vulnerable SharePoint Lists
<FieldRef ID="{fa564e0f-0c70-4ab9-b863-0177e6ddd247}" Name="Title" /><FieldRef ID="{4a722dd4-d406-4356-93f9-2550b8f50dd0}" Name="FirstName" /><FieldRef ID="{fce16b4c-fe53-4793-aaab-b4892e736d15}" Name="Email" /><FieldRef ID="{fd630629-c165-4513-b43c-fdb16b86a14d}" Name="WorkPhone" /><FieldRef ID="{b09f3922-a268-4a30-81da-6564b00745ed}" Name="RaisePercentage" />
Over Posting
Cross-Site Request Forgery (CSRF)
An attack where domain cookies are leveraged. Link on malicious site invokes operation in your add-in Cookies automatically posted back to the domain
Primary defense Implement an anti-forgery token
SharePoint add-in vulnerabilities APIs are protected by RequestDigest token ASP.NET Anti-Forgery Token
Request Digest Tokenexecutor.executeAsync({url: appWebUrl + "/_api/web/lists/getbytitle('Employees')/items", method: "POST", body: requestBody, headers: { "content-type": "application/json", "accept": "application/json", "content-length": requestBody.length, "X-RequestDigest": jQuery("#__REQUESTDIGEST").val() }
CSRF
Agenda
Man-in-the-Middle Cross Site Scripting Click Jacking Over Posting Cross Site Request Forgery
Questions?
Thank you!