Understanding SharePoint 2013 Add-In Security Vulnerabilities Scot Hillier scot@scothillier.net @ScotHillier

Scot Hillier scot@scothillier.net @ScotHillier

Apologizing in advance Out with the old… In with the new… Apps for SharePoint SharePoint Add-Ins App Web Add-In Web App Part Add-In Part SharePoint App Model SharePoint Add-In Model Apps for Office Office Add-Ins Office App Model Office Add-In Model

Agenda Man-in-the-Middle Cross Site Scripting Click Jacking Over Posting Cross Site Request Forgery

Man-in-the-Middle (MITM) An attack where communication between endpoints is intercepted. Primary defense Secure Sockets Layer (SSL) SharePoint add-in vulnerabilities OAuth tokens Sensitive data

Azure Active Directory OAuth 2.0 Office 365 Actors Azure Web Site (Client) End User (Resource Owner) Azure Active Directory (Authorization Server) SharePoint Online (Resource Server)

OAuth 2 Bearer Tokens Access Token Refresh Token A token passed to the Resource Server authorizing the Client to access resources Short-lived Refresh Token A token used to get an Access Token from the Authorization Server Requires passing the ClientSecret Long-lived

OAuth Tokens in Fiddler

Cross-Site Scripting (XSS) An attack where client-side script is injected into a page Classically where a form is submitted and the values displayed in a subsequent page Primary defenses ASP.NET request validation Set AntiXSS as default encoder Use “HTTP-only” cookies SharePoint add-in vulnerabilities Disabling ASP.NET request validation JavaScript encoding

Classic XSS <script runat="server">     protected void Button_Click(object sender, EventArgs e){         Label1.Text = TextBox1.Text;     } </script> <form runat="server">     <asp:TextBox id="TextBox1" runat="server"/>     <asp:Button onclick="Button_Click" runat="server"/> </form> <asp:Label id="Label1" runat="server"/>

ASP.NET Request Validation Prevents server from receiving unencoded HTML Throws an error when unecoded HTML is detected Disabling request validation ASP.NET Web Forms page <%@ Page validateRequest="false" %> ASP.NET MVC method attribute [AllowHtml] Application web.config <pages validateRequest="false"/> Encoding values in application Classically HtmlEncode and HtmlDecode methods Uses “black list” method to encode only certain dangerous characters

Classic Cross-Site Scripting and cookies

AntiXSS Library Included in ASP.NET 4.5 only encoder in ASP.NET 5 Uses a “white list” approach based on intended use HtmlEncode, CSSEncode, JavaScriptStringEncode, etc Use for all external data, not just forms Can be set as the default for your application in web.config <httpRuntime targetFramework="4.5"  encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web,   Version=4.0.0.0,  Culture=neutral,  PublicKeyToken=b03f5f7f11d50a3a" />

HTTP-Only Cookies A cookie only usable by the server Mitigates damage when a cookie is stolen Set for all cookies in application in web.config Create an individual cookie on the server <httpCookies httpOnlyCookies="true"/> HttpCookie myHttpOnlyCookie = new HttpCookie(); myHttpOnlyCookie.HttpOnly = true; myHttpOnlyCookie.Name = "MyHttpOnlyCookie"; Response.AppendCookie(myHttpOnlyCookie);

Http-only cookies

Click Jacking An attack where a malicious div floats above the target site. Show target site in IFRAME Float malicious DIV above it Primary defense Emit the header "X-FRAME-OPTIONS“ set to "DENY" or "SAMEORIGIN" SharePoint add-in vulnerabilities Add-In Parts General web vulnerability

X-FRAME-OPTIONS Prevents your content from being displayed in an IFRAME DENY or SAMEORIGIN Return the header in code Add code to Global.asax for entire add-in Add the header to IIS for all add-ins HttpContext.Response.AddHeader("X-Frame-Options", "DENY");

Click Jacking

Over Posting An attack where more data than required is POSTed. User must have permissions to POST to the original source User POSTs additional data that is contained in the data source Primary defense Use ASP.NET view models with only required properties Split SharePoint lists SharePoint add-in vulnerabilities SharePoint APIs Add-In-only privileges

Vulnerable SharePoint Lists <FieldRef ID="{fa564e0f-0c70-4ab9-b863-0177e6ddd247}" Name="Title" /> <FieldRef ID="{4a722dd4-d406-4356-93f9-2550b8f50dd0}" Name="FirstName" /> <FieldRef ID="{fce16b4c-fe53-4793-aaab-b4892e736d15}" Name="Email" /> <FieldRef ID="{fd630629-c165-4513-b43c-fdb16b86a14d}" Name="WorkPhone" /> <FieldRef ID="{b09f3922-a268-4a30-81da-6564b00745ed}" Name="RaisePercentage" />

Over Posting

Cross-Site Request Forgery (CSRF) An attack where domain cookies are leveraged. Link on malicious site invokes operation in your add-in Cookies automatically posted back to the domain Primary defense Implement an anti-forgery token SharePoint add-in vulnerabilities APIs are protected by RequestDigest token ASP.NET Anti-Forgery Token

Request Digest Token executor.executeAsync({ url: appWebUrl + "/_api/web/lists/getbytitle('Employees')/items",     method: "POST",     body: requestBody,     headers: {         "content-type": "application/json",         "accept": "application/json",         "content-length": requestBody.length,         "X-RequestDigest": jQuery("#__REQUESTDIGEST").val() }

CSRF

Agenda Man-in-the-Middle Cross Site Scripting Click Jacking Over Posting Cross Site Request Forgery

Questions? Thank you!