Understanding SharePoint 2013 Add-In Security Vulnerabilities

Scot Hillierscot@scothillier.net

@ScotHillier

Scot Hillierscot@scothillier.net@ScotHillier

Apologizing in advance

Out with the old… In with the new…

Apps for SharePoint SharePoint Add-Ins

App Web Add-In Web

App Part Add-In Part

SharePoint App Model SharePoint Add-In Model

Apps for Office Office Add-Ins

Office App Model Office Add-In Model

Agenda

Man-in-the-Middle Cross Site Scripting Click Jacking Over Posting Cross Site Request Forgery

Man-in-the-Middle (MITM)

An attack where communication between endpoints is intercepted. Primary defense

Secure Sockets Layer (SSL) SharePoint add-in vulnerabilities

OAuth tokens Sensitive data

OAuth 2.0 Office 365 Actors

6

End User(Resource Owner)

Azure Active Directory(Authorization Server)

Azure Web Site(Client)

SharePoint Online(Resource Server)

OAuth 2 Bearer Tokens

Access Token A token passed to the Resource Server authorizing the

Client to access resources Short-lived

Refresh Token A token used to get an Access Token from the Authorization

Server Requires passing the ClientSecret Long-lived

OAuth Tokens in Fiddler

Cross-Site Scripting (XSS) An attack where client-side script is injected into a page

Classically where a form is submitted and the values displayed in a subsequent page

Primary defenses ASP.NET request validation Set AntiXSS as default encoder Use “HTTP-only” cookies

SharePoint add-in vulnerabilities Disabling ASP.NET request validation JavaScript encoding

Classic XSS<script runat="server">     protected void Button_Click(object sender, EventArgs e){         Label1.Text = TextBox1.Text;     }</script> <form runat="server">     <asp:TextBox id="TextBox1" runat="server"/>     <asp:Button onclick="Button_Click" runat="server"/></form><asp:Label id="Label1" runat="server"/>

ASP.NET Request Validation

Prevents server from receiving unencoded HTML Throws an error when unecoded HTML is detected

Disabling request validation ASP.NET Web Forms page <%@ Page

validateRequest="false" %> ASP.NET MVC method attribute [AllowHtml] Application web.config <pages

validateRequest="false"/> Encoding values in application

Classically HtmlEncode and HtmlDecode methods Uses “black list” method to encode only certain dangerous

characters

Classic Cross-Site Scripting and cookies

AntiXSS Library

Included in ASP.NET 4.5 only encoder in ASP.NET 5 Uses a “white list” approach based on intended use

HtmlEncode, CSSEncode, JavaScriptStringEncode, etc Use for all external data, not just forms

Can be set as the default for your application in web.config

<httpRuntime targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web,  Version=4.0.0.0,  Culture=neutral,  PublicKeyToken=b03f5f7f11d50a3a" />

HTTP-Only Cookies

A cookie only usable by the server Mitigates damage when a cookie is stolen

Set for all cookies in application in web.config

Create an individual cookie on the server<httpCookies httpOnlyCookies="true"/>

HttpCookie myHttpOnlyCookie = new HttpCookie();myHttpOnlyCookie.HttpOnly = true; myHttpOnlyCookie.Name = "MyHttpOnlyCookie"; Response.AppendCookie(myHttpOnlyCookie);

Http-only cookies

Click Jacking

An attack where a malicious div floats above the target site. Show target site in IFRAME Float malicious DIV above it

Primary defense Emit the header "X-FRAME-OPTIONS“ set to "DENY" or

"SAMEORIGIN" SharePoint add-in vulnerabilities

Add-In Parts General web vulnerability

X-FRAME-OPTIONS

Prevents your content from being displayed in an IFRAME DENY or SAMEORIGIN

Return the header in code

Add code to Global.asax for entire add-in Add the header to IIS for all add-ins

HttpContext.Response.AddHeader("X-Frame-Options", "DENY");

Click Jacking

Over Posting

An attack where more data than required is POSTed. User must have permissions to POST to the original source User POSTs additional data that is contained in the data

source Primary defense

Use ASP.NET view models with only required properties Split SharePoint lists

SharePoint add-in vulnerabilities SharePoint APIs Add-In-only privileges

Vulnerable SharePoint Lists

<FieldRef ID="{fa564e0f-0c70-4ab9-b863-0177e6ddd247}" Name="Title" /><FieldRef ID="{4a722dd4-d406-4356-93f9-2550b8f50dd0}" Name="FirstName" /><FieldRef ID="{fce16b4c-fe53-4793-aaab-b4892e736d15}" Name="Email" /><FieldRef ID="{fd630629-c165-4513-b43c-fdb16b86a14d}" Name="WorkPhone" /><FieldRef ID="{b09f3922-a268-4a30-81da-6564b00745ed}" Name="RaisePercentage" />

Over Posting

Cross-Site Request Forgery (CSRF)

An attack where domain cookies are leveraged. Link on malicious site invokes operation in your add-in Cookies automatically posted back to the domain

Primary defense Implement an anti-forgery token

SharePoint add-in vulnerabilities APIs are protected by RequestDigest token ASP.NET Anti-Forgery Token

Request Digest Tokenexecutor.executeAsync({url: appWebUrl + "/_api/web/lists/getbytitle('Employees')/items",     method: "POST",     body: requestBody,     headers: {         "content-type": "application/json",         "accept": "application/json",         "content-length": requestBody.length,         "X-RequestDigest": jQuery("#__REQUESTDIGEST").val() }

CSRF

Agenda

Man-in-the-Middle Cross Site Scripting Click Jacking Over Posting Cross Site Request Forgery

Questions?

Thank you!