OWASP Security in SharePoint

OWASP stands for “Open Web Application Security Project”. This article will list all the possible threats or risks which a SharePoint server can have and their preventive measures.

Most of these threats and their preventive measures are available in the internet but here I have tried to put them together in one place.

Risk 1 – Injection

Threat: Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Prevention: Use SharePoint safe API such as list and libraries, user profile service and business data connectivity, and this will avoid direct connection to SQL databases and LDAP. For custom components, use CAML Queries that will interact with SQL Database as an interpreter and will not be directly queried to the SQL server.

Risk 2 – Cross-Site Scripting (XSS)

Threat: XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser that can hijack user sessions, deface web sites or redirect the user to other malicious sites.

Prevention: Properly escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed using HTML Escape before Inserting Untrusted Data into HTML Element Content or HTML encode/decode utility of SharePoint. Along with this, use positive or “whitelist” input validation as it helps in protecting against XSS. Take into consideration the Content Security Policy (CSP) to defend against XSS across the site.

Risk 3 – Broken Authentication and Session Management

Threat: Application functions related to authentication and session management are often not implemented correctly thereby allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

Prevention: Use claimed based authentication and default SharePoint Session management to meet the authentication and session management requirements defined in OWASP’s Application Security Verification Standard areas V2 (Authentication) and V3 (Session Management).

Risk 4 – Insecure Direct Object References

Threat: A direct object reference occurs when a reference is exposed to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

Prevention: For preventing the insecure direct object references, use the SharePoint security permission level as mentioned below:

  • Check access. – Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

Risk 5 – Cross-Site Request Forgery (CSRF)

Threat: A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests that the vulnerable application thinks are legitimate requests from the victim.

Prevention: For preventing the Cross site Request Forgery; follow the steps mentioned below:

  • SharePoint will implement Form Digest control on each custom page.
  • Send the query (i.e. AllowUnsafeUpdates property will be set to true while updating objects) with every post back or web service request
  • Validate the query before acting on the post back or web service request

Risk 7 – Insecure Cryptographic Storage

Threat: Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes.

Prevention: To prevent Insecure Cryptographic storage, follow the steps mentioned below:

  • Identify all sensitive data and encrypt it even when it is stored on a hard drive.
  • Ensure that sensitive data cannot be overwritten.
  • Keep secrets such as proprietary algorithms, encryption keys even from the administrator.
  • Identify sensitive data read into memory, overwrite it with random data and use strong encryption to safeguard it.

Risk 8 – Failure to Restrict URL Access

Threat: Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

Prevention: To prevent Failure to Restrict URL Access, use appropriate permissions or Access Control settings to disallow anonymous reading. Do not allow read permissions of any sensitive data files to anonymous web visitor user. SharePoint will define/configure the list of file types available for remote reading on the server.

Risk 9 – Insufficient Transport Layer Protection

Threat: Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

Prevention: Identify all components and the versions that are being used and consider all the dependencies. Monitor the security of these components in public databases, project mailing lists, and security mailing lists, and keep them up to date. Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses. Consider adding security wrappers around components to disable unused functionality and/ or secure weak or vulnerable aspects of the component.

Risk 10 – Invalidated Redirects and Forwards

Threat: Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

Prevention: Avoid usage of redirects and forwards. If the above is used, then do not involve user parameters in calculating the destination. If the destination parameters cannot be avoided, ensure that the supplied value is valid, and authorized for the user.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s