Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding SharePoint 2013 Add-In Security Vulnerabilities

Published byChristine Cameron Modified over 9 years ago

Similar presentations

Presentation on theme: "Understanding SharePoint 2013 Add-In Security Vulnerabilities"— Presentation transcript:

1 Understanding SharePoint 2013 Add-In Security Vulnerabilities
Scot Hillier @ScotHillier

2 Scot Hillier @ScotHillier

3 Apologizing in advance
Out with the old… In with the new… Apps for SharePoint SharePoint Add-Ins App Web Add-In Web App Part Add-In Part SharePoint App Model SharePoint Add-In Model Apps for Office Office Add-Ins Office App Model Office Add-In Model

4 Agenda Man-in-the-Middle Cross Site Scripting Click Jacking
Over Posting Cross Site Request Forgery

5 Man-in-the-Middle (MITM)
An attack where communication between endpoints is intercepted. Primary defense Secure Sockets Layer (SSL) SharePoint add-in vulnerabilities OAuth tokens Sensitive data

6 Azure Active Directory
OAuth 2.0 Office 365 Actors Azure Web Site (Client) End User (Resource Owner) Azure Active Directory (Authorization Server) SharePoint Online (Resource Server)

7 OAuth 2 Bearer Tokens Access Token Refresh Token
A token passed to the Resource Server authorizing the Client to access resources Short-lived Refresh Token A token used to get an Access Token from the Authorization Server Requires passing the ClientSecret Long-lived

8 OAuth Tokens in Fiddler

9 Cross-Site Scripting (XSS)
An attack where client-side script is injected into a page Classically where a form is submitted and the values displayed in a subsequent page Primary defenses ASP.NET request validation Set AntiXSS as default encoder Use “HTTP-only” cookies SharePoint add-in vulnerabilities Disabling ASP.NET request validation JavaScript encoding

10 Classic XSS <script runat="server">
    protected void Button_Click(object sender, EventArgs e){         Label1.Text = TextBox1.Text;     } </script> <form runat="server">     <asp:TextBox id="TextBox1" runat="server"/>     <asp:Button onclick="Button_Click" runat="server"/> </form> <asp:Label id="Label1" runat="server"/>

11 ASP.NET Request Validation
Prevents server from receiving unencoded HTML Throws an error when unecoded HTML is detected Disabling request validation ASP.NET Web Forms page Page validateRequest="false" %> ASP.NET MVC method attribute [AllowHtml] Application web.config <pages validateRequest="false"/> Encoding values in application Classically HtmlEncode and HtmlDecode methods Uses “black list” method to encode only certain dangerous characters

12 Classic Cross-Site Scripting and cookies

13 AntiXSS Library Included in ASP.NET 4.5 only encoder in ASP.NET 5
Uses a “white list” approach based on intended use HtmlEncode, CSSEncode, JavaScriptStringEncode, etc Use for all external data, not just forms Can be set as the default for your application in web.config <httpRuntime targetFramework="4.5"  encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web,   Version= ,  Culture=neutral,  PublicKeyToken=b03f5f7f11d50a3a" />

14 HTTP-Only Cookies A cookie only usable by the server
Mitigates damage when a cookie is stolen Set for all cookies in application in web.config Create an individual cookie on the server <httpCookies httpOnlyCookies="true"/> HttpCookie myHttpOnlyCookie = new HttpCookie(); myHttpOnlyCookie.HttpOnly = true; myHttpOnlyCookie.Name = "MyHttpOnlyCookie"; Response.AppendCookie(myHttpOnlyCookie);

15 Http-only cookies

16 Click Jacking An attack where a malicious div floats above the target site. Show target site in IFRAME Float malicious DIV above it Primary defense Emit the header "X-FRAME-OPTIONS“ set to "DENY" or "SAMEORIGIN" SharePoint add-in vulnerabilities Add-In Parts General web vulnerability

17 X-FRAME-OPTIONS Prevents your content from being displayed in an IFRAME DENY or SAMEORIGIN Return the header in code Add code to Global.asax for entire add-in Add the header to IIS for all add-ins HttpContext.Response.AddHeader("X-Frame-Options", "DENY");

18 Click Jacking

19 Over Posting An attack where more data than required is POSTed.
User must have permissions to POST to the original source User POSTs additional data that is contained in the data source Primary defense Use ASP.NET view models with only required properties Split SharePoint lists SharePoint add-in vulnerabilities SharePoint APIs Add-In-only privileges

20 Vulnerable SharePoint Lists
<FieldRef ID="{fa564e0f-0c70-4ab9-b e6ddd247}" Name="Title" /> <FieldRef ID="{4a722dd4-d f9-2550b8f50dd0}" Name="FirstName" /> <FieldRef ID="{fce16b4c-fe aaab-b4892e736d15}" Name=" " /> <FieldRef ID="{fd c b43c-fdb16b86a14d}" Name="WorkPhone" /> <FieldRef ID="{b09f3922-a268-4a30-81da-6564b00745ed}" Name="RaisePercentage" />

21 Over Posting

22 Cross-Site Request Forgery (CSRF)
An attack where domain cookies are leveraged. Link on malicious site invokes operation in your add-in Cookies automatically posted back to the domain Primary defense Implement an anti-forgery token SharePoint add-in vulnerabilities APIs are protected by RequestDigest token ASP.NET Anti-Forgery Token

23 Request Digest Token executor.executeAsync({
url: appWebUrl + "/_api/web/lists/getbytitle('Employees')/items",     method: "POST",     body: requestBody,     headers: {         "content-type": "application/json",         "accept": "application/json",         "content-length": requestBody.length,         "X-RequestDigest": jQuery("#__REQUESTDIGEST").val() }

24 CSRF

25 Agenda Man-in-the-Middle Cross Site Scripting Click Jacking
Over Posting Cross Site Request Forgery

26 Questions? Thank you!

Download ppt "Understanding SharePoint 2013 Add-In Security Vulnerabilities"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Microsoft ® Official Course Developing Remote-hosted Apps for SharePoint Microsoft SharePoint 2013 SharePoint Practice.

Microsoft ® Official Course Developing Remote-hosted Apps for SharePoint Microsoft SharePoint 2013 SharePoint Practice.
Migrating Full-Trust Solutions to the Cloud Scot

Migrating Full-Trust Solutions to the Cloud Scot
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.

SPC204 Security Problems in SharePoint 2010 Authentication and Authorization.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.

Similar presentations

Ads by Google