This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Research for SharePoint (MOSS)"

From OWASP
Jump to: navigation, search
(Added SharePoint Enumerator (Professionally Evil))
m (Added tool: McAfee Network Discovery for Microsoft SharePoint)
 
(One intermediate revision by the same user not shown)
Line 15: Line 15:
 
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
 
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
 
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]
 
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]
 +
* [http://www.bishopfox.com/files/articles/2012/Information%20Security%20Magazine%20JulyAug2012-SharePoint.pdf SearchSecurity – Securing SharePoint: SharePoint security best practices] - Information Security Magazine July/Aug2012 - Volume 14 - Locking Down Sharepoint - Businesses love Microsoft’s collaboration software but can forget to secure it.
  
 
==== Presentations ====
 
==== Presentations ====
* HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.stachliu.com/wp-content/uploads/2011/03/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
+
* Bishop Fox - HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.bishopfox.com/files/slides/2011/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
 
* OWASP Houston Chapter - August 12, 2009 :  [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by:  Shohn Trojacek
 
* OWASP Houston Chapter - August 12, 2009 :  [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by:  Shohn Trojacek
 
* from Denim group:
 
* from Denim group:
Line 69: Line 70:
 
* [http://sparty.secniche.org/ Sparty] - MS Sharepoint and Frontpage Auditing Tool
 
* [http://sparty.secniche.org/ Sparty] - MS Sharepoint and Frontpage Auditing Tool
 
* [https://github.com/toddsiegel/spscan SPScan] - SharePoint scanner and fingerprinter based on WPScan
 
* [https://github.com/toddsiegel/spscan SPScan] - SharePoint scanner and fingerprinter based on WPScan
* [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ Stach & Liu's SharePoint Hacking Diggity Project] - SharePoint hacking tools project page.  Currently includes such hacking tools as:
+
* [http://www.mcafee.com/us/downloads/free-tools/sharepoint-discovery.aspx McAfee Network Discovery for Microsoft SharePoint]
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20-%20GoogleDiggity%20Dictionary%20File SharePoint – GoogleDiggity Dictionary File] - New GoogleDiggity input dictionary file containing 118 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google.
+
* [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/ Bishop Fox - SharePoint Hacking Diggity Project] - SharePoint hacking tools project page.  Currently includes such hacking tools as:
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePointURLBrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 99 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
+
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#google-and-bing-hacking-dictionary-files SharePoint – Google and Bing Diggity Dictionary Files] - New GoogleDiggity input dictionary file containing 121 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google.  Recently, we’ve also created a Bing hacking dictionary (124 Bing queries) that can be imported into BingDiggity and used to identify SharePoint exposures as well.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20UserDispEnum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles.
+
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-hacking-alerts-for-google-and-bing SharePoint Hacking Alerts for Google and Bing] - SharePoint Hacking Alerts provide real-time vulnerability updates from both the Google and Bing search engines.  These convenient RSS feeds help locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google and Bing.  [http://www.google.com/alerts Google Alerts] have been created for all SharePoint related search strings, which generate a new alert each time newly indexed pages by Google match one of those regular expressions.  Microsoft Bing’s &format=rss directive was used to turn Bing searches into RSS feeds.
** [http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/#SharePoint%20DLP%20Tools SharePoint DLP Tools] - COMING SOON – Stach & Liu data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.
+
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepointurlbrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 101 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
 +
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-userdispenum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles.  For real, live examples of SharePoint site deployments insecurely exposing this functionality to anonymous users on the Internet, see Google results of: “http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx”. Users can leverage [http://www.bishopfox.com/resources/tools/google-hacking-diggity/ Bishop Fox’s GoogleDiggity hacking tools] to identify these exposures within their own organization, and then employ the UserDispEnum tool to exploit them during penetration tests.
 +
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-dlp-tools SharePoint DLP Tools] - COMING SOON – Bishop Fox's data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.
  
  
Line 79: Line 82:
 
* '''2008'''
 
* '''2008'''
 
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
 
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
 +
* '''2012'''
 +
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/presentation-slides/ Bishop Fox - SharePoint Hacking Diggity Project - Presentations]:
 +
*** OWASP L.A. 2012 - Los Angeles, CA - February 22, 2012 : [http://www.bishopfox.com/files/slides/2012/OWASP%20LA%20-%20SharePoint%20Hacking%20-%2022Feb2012.pdf SharePoint Hacking: Advanced SharePoint Security Tips and Tools]
 
* '''2013'''
 
* '''2013'''
 
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]
 
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]

Latest revision as of 12:28, 24 November 2014

This page contains research notes on Microsoft's SharePoint MOSS and WSS

Resources

Microsoft resources

Other Resources and Documentation

Presentations

Other interesting resources

Other Blogs and Articles

Security related technical articles


Published Security issues

SharePoint related vulnerabilities and its status


MOSS Security related WebParts, Tools & services

Open Source

Commercially Supported

Dangerous MOSS APIs

Map the security implications of MOSS APIs, for example:

  • which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
  • configuration settings that have security implications


SharePoint Hacking

SharePoint Hacking Tools

  • SharePoint Enumerator | Professionally Evil - This is a collection of 4 modules that help enumerate the SharePoint server the victim is connected to.
  • Sparty - MS Sharepoint and Frontpage Auditing Tool
  • SPScan - SharePoint scanner and fingerprinter based on WPScan
  • McAfee Network Discovery for Microsoft SharePoint
  • Bishop Fox - SharePoint Hacking Diggity Project - SharePoint hacking tools project page. Currently includes such hacking tools as:
    • SharePoint – Google and Bing Diggity Dictionary Files - New GoogleDiggity input dictionary file containing 121 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google. Recently, we’ve also created a Bing hacking dictionary (124 Bing queries) that can be imported into BingDiggity and used to identify SharePoint exposures as well.
    • SharePoint Hacking Alerts for Google and Bing - SharePoint Hacking Alerts provide real-time vulnerability updates from both the Google and Bing search engines. These convenient RSS feeds help locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google and Bing. Google Alerts have been created for all SharePoint related search strings, which generate a new alert each time newly indexed pages by Google match one of those regular expressions. Microsoft Bing’s &format=rss directive was used to turn Bing searches into RSS feeds.
    • SharePointURLBrute - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 101 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
    • SharePoint UserDispEnum - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles. For real, live examples of SharePoint site deployments insecurely exposing this functionality to anonymous users on the Internet, see Google results of: “http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx”. Users can leverage Bishop Fox’s GoogleDiggity hacking tools to identify these exposures within their own organization, and then employ the UserDispEnum tool to exploit them during penetration tests.
    • SharePoint DLP Tools - COMING SOON – Bishop Fox's data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.


SharePoint Hacking Presentations


WebParts Security

  • Security ratings & mappings of MOSS Deployed Web Parts
  • Security ratings & mappings of 3rd Part Web Parts