SlideShare ist ein Scribd-Unternehmen logo

Hacking_SharePoint_FINAL

Als PPTX, PDF herunterladen
I
Ian Naumenko, CISSP, CRISC

This document discusses why SharePoint is considered a hacker's dream. It notes that SharePoint usage has grown exponentially in recent years, with over 85 million users across 17,000 companies in 2009. SharePoint is widely used by Fortune 500 companies and contains valuable data, making it an attractive target. The document outlines some high-profile data breaches in recent years that involved SharePoint, including those by Bradley Manning and Edward Snowden. It stresses the importance of proper information security practices for SharePoint, including understanding threats, classification, and establishing governance to reduce risks and protect sensitive data.

1 von 50
SharePoint A Hackers Dream Ian Naumenko, CISSP Spot Solutions Ltd. SharePoint Saturday Vancouver, March 11, 2016 Spot Solutions Ltd.
Thanks to all the Sponsors !!! Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Ian Naumenko, CISSP WORK ✘ Director IT and Security Operations – Spot Solutions Ltd BOARDS ✘ Vice President of InfoSecBC (Vancouver Security Special Interest Group) ✘ President Western Region IAMCP Canada (International Association of Microsoft Chanel Partners) ✘ Work with POLCYB (The Society for The Policing of cyberspace) Education, Certifications ✘ Computer Sciences, CISSP, Various Microsoft Certs, ISO 90001, random others… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
I’m not dissing SharePoint… ✘SharePoint is a excellent collaboration platform and overall Microsoft is doing a great job making the technology secure. ✘It’s not usually the technology that is at fault, it’s how we use the technology that matters… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Sorry to disappoint… We are not actually going to hack anything today…
Why is SharePoint a hackers dream ? Over the past several years, the uptake of SharePoint has been considerable. Way back in 2009, it was estimated that SharePoint had licensed more than 85 million users to an estimated 17,000 companies. This number has grown exponential in recent years, especially with Microsoft "Core CALS" (which include SharePoint), and the introduction of SharePoint online and Office365. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why is it a hackers dream ? “According to Association for Information and Image Management (AIIM) one in two corporations are now using SharePoint Server and in 22% of the companies, every employee uses this popular Microsoft collaboration tool.” http://www.topsharepoint.com/fortune- 500-companies-using-sharepoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why is it a hackers dream ? A vast number of Fortune 500 Private companies use SharePoint for their internal and external content UPS Store Proctor and Gamble SC JohnsonBristol-Myers Squibb Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why is it a hackers dream ? ..usage includes Enterprise search, enterprise content management (ECM), Business Process Management, business intelligence, records management, archiving, Intranet/Extranet, file sharing to public-facing websites… Spot Solutions Ltd.SharePoint Saturday Vancouver Contains lots of valuable data Making it a big juicy target !!! Ian Naumenko, CISSP
Why do we care… 2015's biggest hacks, breaches ✘Ashley Madison – 37 million “cheaters” records released ✘Vtech – 4.8 million records including info on 200,000 kids ✘70 million prisoner phone records stolen (attorney-client privilege may have been violated ) ✘FBI's portal breached, thousands of arrestees' data at risk, including access to CIA director John Brennan's private email account (widest external breaches of law enforcement this year) ✘Donald Trump's hotel chain hack hit thousands of hotel visitors. (credit card data including security codes and card numbers) ✘Crowdfunding service Patreon hack led to 15GB data dump ✘Experian breach hit 15 million T-Mobile customers ✘Scottrade hack: Details on 4.6 million customers stolen ✘Excellus BlueCross BlueShield – 10 million records Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why do we care… 2015's biggest hacks, breaches ✘Carphone Warehouse tops UK breach list with 2.4 million affected ✘CVS, Walgreens, credit card breach, millions of CC, email, postal codes etc., records leaked ✘UCLA Health failed to encrypt 4.5 million records ✘Hacking Team exploits put hundreds of millions of Flash users at risk ✘OPM breach, which affected 22.1 million US government workers (and counting). ✘LastPass customers at risk after millions of passwords accessed ✘The IRS data breach, stolen tax returns of over 100,000 tax payers ✘Anthem (US healthcare provider) breach affected one-third of Americans The annual cost of data breaches in the US is estimated to be $100 billion Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Why do we care…Bradley Manning Forensics discovered WGET scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents… Edward Snowden NSA, General Keith Alexander indicated… “This leaker was a system administrator who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." He then added that the leak was " ... a huge break in trust and confidence. So there are issues we have got to fix there.” Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
So, what do we need to do… To start… 1. We need to understand what Information Security really is all about… 2. We need to understand external and internal threats… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
1. Information Security 101 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Security is not a group in SharePoint… “To many in the SharePoint world, “SharePoint security” is synonymous with “SharePoint permissions” and the Snowden breach is a great example of how permissions are a single point of failure but do not (in and of themselves) equate to a proper security architecture.” http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks- breaches-aspx/
Need to understand the CIA … Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Confidentiality, Integrity and Availability Confidentiality - Confidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people.“ (Think authentication, permissions and groups in SharePoint, who gets to see what…) Integrity - Integrity refers to the trustworthiness of information resources. It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter. (Think SharePoint’s “Created by” or “Last modified” each time a document is uploaded/changed) Availability - Availability refers, unsurprisingly, to the availability of information resources. An information system that is not available when you need it is almost as bad as none at all. It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure. (Think Disaster recovery, High Available) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Information Classification… Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations). An example of a Data Classification: Public - Information that may or must be open to the general public. Internal - Information that must be guarded due to proprietary, ethical, or privacy considerations. Confidential - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Regulatory Data Classification - Information that’s protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Spot Solutions Ltd.SharePoint Saturday Vancouver
Understand the b’s and the C’s Business ✘ Technology and security are there to support the business, not the other way around ✘ Difference between a manufacturer and a Healthcare provider ✘ Government has different drivers since it's goal is to protect public ✘ Understand the actual business need ✘ Add business value Culture ✘ Heads down, don’t rock the boat ✘ Where's my bonus Assets ✘ Are we spending a Lonnie to save a dime? ✘ What is our risk appetite? ✘ Risk avoidance, reduction, transfer, acceptance ✘ Risk = Likelihood x Impact Business Security Technology Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Security basics: definitions of threat, attack and risk Definition of threat: an object, person, or other entity that represents a constant danger to an asset Definition of vulnerability: a weakness that makes targets susceptible to an attack. Definition of attack: an action taken against a target with the intention of doing harm. Definition of risk: the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. Source: Excerpt from CISSP Guide to Security Essentials, chapter 10 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
2. External and Internal Threats ? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
External Threats… ✘Hacktivist ✘Bragging Rights ✘Monetary Gain . ✘Criminal Groups ✘Thrill Seekers ✘Terrorists ✘State Sponsored ✘Organized Crime ✘Industrial Spies Spot Solutions Ltd.
Internal Threats…“Most data security threats are internal” internal vulnerabilities in some form or another responsible for a total of 70 percent of breaches Forrester ✘Employees (The ones you always do, but shouldn't trust) ✘Developers (No-one trust these guys) ✘Administrators (All powerful) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Internal ✘ lost or stolen devices account for 31 percent of all data security breaches ✘ accidental misuse by an employee accounted for another 27 percent of incidents ✘ 12 percent of breaches were caused by malicious insiders ✘ 22 percent of incidents involved either customer or employee data. In addition to reputational damage ✘ 19 percent of breaches involved intellectual property http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/ threats… Spot Solutions Ltd.SharePoint Saturday Vancouver
Pieces of a puzzle…. Hackers don’t wave a magic wand and voila, there in…. If organized, Information is gathered over time from multiple sources and techniques, then slowly assembled like a puzzle • BotNets • Hacking • Malware • Pharming • Phishing • Ransomware • Spam • Spoofing • Spyware • Trojan Horses • Viruses • Worms • WiFi Eavesdropping • Email scams • Phishing and Smishing scams • Contests and Scams • Online dating scams • Social network scams • Fraudulent calls • Social engineering Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
for SharePoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
✘ Don’t assume that just because you have some SP permissions setup that your data is “automatically” safe, this applies on premise, hosted solutions and Office 365 ✘ We need to start treating SharePoint as a business critical repository of important, sensitive business information ✘ Security is not just a checklist, it’s a strategy” ✘ Threats are not just external… ✘ SharePoint Security only stands a chance if there is governance Spot Solutions Ltd. can be vulnerable if we are not carefulis Ian Naumenko, CISSPSharePoint Saturday Vancouver
Governance is the key ✘ “Governance for SharePoint could be defined as your strategy for delivering the business solutions your end users want, within the scope of the technology and security considerations, while maintaining those business constraints.” ✘ Reducing risk – “just over 43 percent claimed they do not regularly run audits on usage, security, content or permissions, which is frightening to say the least. A governance plan that protects business IP and is aligned with the appropriate compliance regulations helps reduce potentially devastating risk and losses in the future.“ ✘ “Governance actually enables business agility and protects the business from data leaks, risk and lost resources” Great free resource all above quotes from Metalogix ebook – SharePoint Governance best practices by SharePoint MVP Christian Buckly Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
On-Premise vs Cloud deployments? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
On-Premise ✘ Pros • All corporate data is kept onsite, in-house • Data sovereignty (i.e. keeping content within the country) • More ability for customization (farm solutions) – don’t have to rely on JavaScript • Knowing your sysadmin team and those who have the key’s to your kingdom • CIA - Confidentiality and Integrity ✘Cons • Less or no internal “security minded” resources available • Limited or over stretched sysadmin resources • More upkeep and maintenance costs for infrastructure • Developers of farm solutions need to follow SSDLC and need to understand the potential impacts of custom code. • CIA - Availability Deployments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Cloud ✘ Pros • Little or no internal infrastructure • Vast Microsoft infrastructure and security resources • Automated backup • Scalability • CIA - Availability ✘Cons • If internet is down or inaccessible, so is your data • All data is available externally • Data is stored wherever Microsoft decides • Data sovereignty – even if in a Canadian Data center, operations owned by a foreign country • Adequately secure against rogue systems administrators and insiders… • CIA – Confidentiality, Availability Deplolyments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Finally the good stuff…
SharePoint EndPoints Administrative;;inurl:"/_layouts/AdminRecycleBin.aspx" Administrative;;inurl:"/_layouts/bpcf.aspx" Administrative;;inurl:"/_layouts/create.aspx" Administrative;;inurl:"/_layouts/listfeed.aspx" Administrative;;inurl:"/_layouts/managefeatures.aspx" Administrative;;inurl:"/_layouts/mcontent.aspx" Administrative;;inurl:"/_layouts/mngsiteadmin.aspx" Administrative;;inurl:"/_layouts/mngsubwebs.aspx" Administrative;;inurl:"/_layouts/newsbweb.aspx" Administrative;;inurl:"/_layouts/PageSettings.aspx" Administrative;;inurl:"/_layouts/policy.aspx" Administrative;;inurl:"/_layouts/policyconfig.aspx" Administrative;;inurl:"/_layouts/policycts.aspx" Administrative;;inurl:"/_layouts/Policylist.aspx" Administrative;;inurl:"/_layouts/recyclebin.aspx" Administrative;;inurl:"/_layouts/settings.aspx" Administrative;;inurl:"/_layouts/sitemanager.aspx" Administrative;;inurl:"/_layouts/storman.aspx" Administrative;;inurl:"/_layouts/vsubwebs.aspx" Administrative;;inurl:"/_layouts/wrkmng.aspx" Administrative;;inurl:"_admin" inurl:"aspx" Administrative;;inurl:"admin/_layouts" Forms;;inurl:"/_layouts/listedit.aspx" filetype:aspx Forms;;inurl:"/forms/allitems.aspx" filetype:aspx Forms;;inurl:"/pages/forms/allitems.aspx" Forms;;inurl:"Forms" inurl:"allitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"dispform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"editform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"myitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"newform.aspx" filetype:aspx Forms;;inurl:lists inurl:allitems.aspx Forms;;inurl:lists inurl:editform.aspx Galleries;;inurl:"/_catalogs/" inurl:forms Galleries;;inurl:"/_catalogs/lt/" Galleries;;inurl:"/_catalogs/masterpage" Galleries;;inurl:"/_catalogs/masterpage/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wp/" Galleries;;inurl:"/_catalogs/wp/forms/" Galleries;;inurl:"/_catalogs/wp/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wt/" Galleries;;inurl:"/_layouts/1033" Galleries;;inurl:"/_layouts/AreaTemplateSettings.aspx" Galleries;;inurl:"/_layouts/ChangeSiteMasterPage.aspx" Galleries;;inurl:"/_layouts/images/" Galleries;;inurl:"/_layouts/mngctype.aspx" Galleries;;inurl:"/_layouts/mngfield.aspx" Galleries;;inurl:"_catalogs/lt/forms/allitems.aspx" Help Pages;;inurl:"/_layouts/help.aspx" ext:aspx Help Pages;;inurl:"_layouts/help.aspx" inurl:"cid0=" ext:aspx Lists;;inurl:"/_layouts/viewlsts.aspx" Lists;;inurl:"/_layouts/mobile/mbllists.aspx" ext:aspx Lists;;inurl:/_layouts/listedit.aspx" Login;;inurl:"/_Layouts" inurl:"authenticate.aspx" filetype:aspx Login;;inurl:"/_Layouts/authenticate.aspx" filetype:aspx Login;;inurl:"/pages/login.aspx" LookNFeel;;inurl:"/_layouts/areanavigationsettings.aspx" LookNFeel;;inurl:"/_layouts/AreaWelcomePage.aspx" LookNFeel;;inurl:"/_layouts/navoptions.aspx" LookNFeel;;inurl:"/_layouts/prjsetng.aspx" LookNFeel;;inurl:"/_layouts/quiklnch.aspx" LookNFeel;;inurl:"/_layouts/themeweb.aspx" LookNFeel;;inurl:"/_layouts/topnav.aspx" Other;;"all site content" site:.com filetype:aspx Other;;"view all site content" "sign in" "people and groups" filetype:aspx Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" filetype:aspx Other;;intext:"this blog is powered by microsoft sharepoint server 2010" Other;;inurl:"/_layouts" inurl:"allitems.aspx" Other;;inurl:"/_Layouts" inurl:"RedirectPage.aspx" filetype:aspx Other;;inurl:"/_layouts/" filetype:aspx Other;;inurl:"/directory/_layouts/" filetype:aspx Other;;inurl:"/pages/default.aspx" UsersGroups;;inurl:"/_layouts" inurl:"useredit.aspx" UsersGroups;;inurl:"/_layouts/aclinv.aspx" UsersGroups;;inurl:"/_layouts/addrole.aspx" UsersGroups;;inurl:"/_layouts/associatedgroups.aspx" UsersGroups;;inurl:"/_layouts/editgrp.aspx" UsersGroups;;inurl:"/_layouts/editprms.aspx" UsersGroups;;inurl:"/_layouts/groups.aspx" UsersGroups;;inurl:"/_layouts/myinfo.aspx" UsersGroups;;inurl:"/_layouts/MyPage.aspx" UsersGroups;;inurl:"/_layouts/MyTasks.aspx" UsersGroups;;inurl:"/_layouts/newgrp.aspx" UsersGroups;;inurl:"/_layouts/people.aspx" UsersGroups;;inurl:"/_layouts/permsetup.aspx" UsersGroups;;inurl:"/_layouts/picker.aspx" UsersGroups;;inurl:"/_layouts/role.aspx" UsersGroups;;inurl:"/_layouts/user.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" filetype:aspx UsersGroups;;inurl:"/_layouts/useredit.aspx" UsersGroups;;inurl:"/_layouts/viewgrouppermissions.aspx" WebParts;;inurl:"/_layouts/NewDwp.aspx" WebParts;;inurl:"/_layouts/spcf.aspx" WebParts;;inurl:"/WPPrevw.aspx" WebServices;;intext:"http://schemas.microsoft.com/sharepoint/" filetype:asmx WebServices;;intext:"soapAction=" intext:"http://microsoft.com/webservices/OfficeServer/" filetype:asmx WebServices;;inurl:"/_vti_bin/alerts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/copy.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/dspsts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/forms.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/lists.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/people.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/Permissions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/search.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sitedata.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sites.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/usergroup.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/versions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/views.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webpartpages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webs.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsdisco.aspx" filetype:aspx WebServices;;inurl:"/_vti_bin/SharepointEmailWS.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/BusinessDataCatalog.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/ExcelService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/UserProfileService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spscrawl.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/AreaService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/WebPartPages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsearch.asmx" filetype:asmx Spot Solutions Ltd.Ian Naumenko, CISSP
Three click attack… SharePoint Hacking Diggity Project – Bishop Fox http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/ ✘ UserDispEnum • UserDispEnum is a SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can easily be extracted from the SharePoint user profiles. Paste this into your browser: http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
SharePoint UserDispEnum Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
Also many technical vulnerabilities… ✘ Microsoft Security Bulletin MS15-036 - Elevation of Privilege • April 14, 2015: - The attacker who successfully exploited these vulnerabilities could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser. ✘ Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability • Aug 18, 2015: - It is possible to evade the current security controls on Microsoft SharePoint Online 2013 Web Application by simply adding a blank iframe in the HTML through `embed code` feature. It does not matter what policies have been implemented through the `HTML Field Security` feature. All filters / policies are easily evaded using the above mentioned filter bypass technique and this should be fixed immediately. Please note, once the filter is evaded, it is possible to inject malicious script code without any restrictions and it doesn`t get stripped / filtered even after publishing. Successful exploitation of the vulnerability results in filter evasion of all SharePoint security policies for the websites and allows execution of persistent script code that can result in session hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable module context manipulation. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low required user interaction and (restricted) privileged SharePoint cloud application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. 1. Register an office and SharePoint online 2013 account 2. Login to the SharePoint portal as admin 3. Goto your Site and click on Edit 4. Goto Insert and include "embed code" 5. in the Input box, enter the given "Payload" 6. Click Insert and then Save 7. Upon being redirected to the index page, a javascript box should pop up proving the existence of this vulnerability http://www.vulnerability-lab.com/get_content.php?id=1024 SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
WGET Script ✘ What is WGET ? • It's a command-line tool to download webpages and their assets ✘ Why does it matter…. • Mass content download ! The following command will download all the content from SharePoint to static pages using WGET. WGET even fixes all links so that most navigation still works. wget -r --no-parent --convert-links -P c:temp<my local folder> --http-user=<domainusername> --http- passwd=<password> http://<path to sharepoint> ✘ What can we do to prevent it’s use… • WGET respects passwords • wget respects, by default, your robots.txt file • webservers can be set up to deny WGET’s default user agent • All that being said, it’s really hard to block  SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
What can we do ?SharePoint Saturday Vancouver Spot Solutions Ltd.Ian Naumenko, CISSP
Vulnerability assessment tools and resources… ✘ Assessment tools from vendors such Metalogix - Free Insider Threat Vulnerability tool ShareGate – SharePoint Security Tool AveDoc – Governance Automation ✘ OWASP top 10 ✘ KALI disc (pen testing) ✘ Microsoft Security Center – Security bulletins https://technet.microsoft.com/en-us/library/security/dn631937.aspx ✘ Common Vulnerabilities and Exposures Database http://www.cve.mitre.org/find/index.html Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Points to remember… ✘ SharePoint doesn’t matter, the business matters. (quoted from metalogix Governave Best Practices ebook) ✘ We have to approach cloud services by assuming that your data is being looked at by third parties, including cloud systems administrators, and by governmental agencies… ✘ Most IT platforms, and particularly collaboration-oriented platforms, are challenged to adequately secure against rogue systems administrators and insiders. The solution to securing SharePoint and other IT platforms against insiders will always boil down to careful application of security controls, which are not all ways technical… http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-breaches-aspx/ Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Points to remember… (cont…) ✘Don’t take the technology for granted. ✘Governance is most important. “Its not a checklist, it’s a strategy” ✘Educate staff in simple language they can understand and relate ✘Don’t fall into “Tikcky box security” ✘Understand the business needs and culture ✘Carefull with custom code. Always use SSDLC techniques ✘Teach your staff about “Social engineering” ✘Deploy of Defense-in-Depth protection Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
Mike Fleck, Co-Founder of CipherPoint Software wrote… ”If your house gets broken into, but you like the house, keep the house and buy a security system. People love SharePoint for the collaboration efficiencies the platform brings to the enterprise. Add to SharePoint the right set of administrative and technical security controls, and you’ve got a winning combination. It is possible to use the SharePoint platform for use cases involving highly sensitive data!” Conclusion… Ian Naumenko, CISSP, Spot Solutions Ltd.
thanks! Any questions? You can find me at ian@spotsolutions.com https://www.linkedin.com/in/iannaumenko @ignhot Credits Special thanks to all the people who made and released these awesome slides for free: Presentation template by SlidesCarnival Photographs by Unsplash SharePoint Saturday Vancouver

Empfohlen

Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
Andrea Hauser
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 

Empfohlen

Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
Andrea Hauser
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)Cross Site Scripting: Prevention and Detection(XSS)
Cross Site Scripting: Prevention and Detection(XSS)
Aman Singh
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
HackerOne
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Adam Nurudini
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity component
Jonathan Sinclair
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 

Was ist angesagt? (20)

Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 

Ähnlich wie Hacking_SharePoint_FINAL

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
Ulf Mattsson
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Randall Chase
 

Ähnlich wie Hacking_SharePoint_FINAL (20)

Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber speed – the unknown velocity component
Cyber speed – the unknown velocity componentCyber speed – the unknown velocity component
Cyber speed – the unknown velocity component
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & Recommendations
 
Showreel ICSA Technology Conference
Showreel ICSA Technology ConferenceShowreel ICSA Technology Conference
Showreel ICSA Technology Conference
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
How big is your shadow?
How big is your shadow?How big is your shadow?
How big is your shadow?
 
Quantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal DataQuantifying Cyber Risk, Insurance and The Value of Personal Data
Quantifying Cyber Risk, Insurance and The Value of Personal Data
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Spo2 t17
Spo2 t17Spo2 t17
Spo2 t17
 
Sensecy cti vs cti
Sensecy cti vs cti Sensecy cti vs cti
Sensecy cti vs cti
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
A handbook of the threat intelligence tools your company needs
A handbook of the threat intelligence tools your company needsA handbook of the threat intelligence tools your company needs
A handbook of the threat intelligence tools your company needs
 
Why do women love chasing down bad guys?
Why do women love chasing down bad guys? Why do women love chasing down bad guys?
Why do women love chasing down bad guys?
 
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONSCybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
Cybersecurity - you are being targeted -Keyven Lewis, CMIT SOLUTIONS
 
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
Joint Presentation on The State of Cybersecurity ('15-'16) & Third Party Cyb...
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
 

Hacking_SharePoint_FINAL

  • 1. SharePoint A Hackers Dream Ian Naumenko, CISSP Spot Solutions Ltd. SharePoint Saturday Vancouver, March 11, 2016 Spot Solutions Ltd.
  • 2. Thanks to all the Sponsors !!! Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 3. Ian Naumenko, CISSP WORK ✘ Director IT and Security Operations – Spot Solutions Ltd BOARDS ✘ Vice President of InfoSecBC (Vancouver Security Special Interest Group) ✘ President Western Region IAMCP Canada (International Association of Microsoft Chanel Partners) ✘ Work with POLCYB (The Society for The Policing of cyberspace) Education, Certifications ✘ Computer Sciences, CISSP, Various Microsoft Certs, ISO 90001, random others… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 4. I’m not dissing SharePoint… ✘SharePoint is a excellent collaboration platform and overall Microsoft is doing a great job making the technology secure. ✘It’s not usually the technology that is at fault, it’s how we use the technology that matters… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 5. Sorry to disappoint… We are not actually going to hack anything today…
  • 6. Why is SharePoint a hackers dream ? Over the past several years, the uptake of SharePoint has been considerable. Way back in 2009, it was estimated that SharePoint had licensed more than 85 million users to an estimated 17,000 companies. This number has grown exponential in recent years, especially with Microsoft "Core CALS" (which include SharePoint), and the introduction of SharePoint online and Office365. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 7. Why is it a hackers dream ? “According to Association for Information and Image Management (AIIM) one in two corporations are now using SharePoint Server and in 22% of the companies, every employee uses this popular Microsoft collaboration tool.” http://www.topsharepoint.com/fortune- 500-companies-using-sharepoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 8. Why is it a hackers dream ? A vast number of Fortune 500 Private companies use SharePoint for their internal and external content UPS Store Proctor and Gamble SC JohnsonBristol-Myers Squibb Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 9. Why is it a hackers dream ? ..usage includes Enterprise search, enterprise content management (ECM), Business Process Management, business intelligence, records management, archiving, Intranet/Extranet, file sharing to public-facing websites… Spot Solutions Ltd.SharePoint Saturday Vancouver Contains lots of valuable data Making it a big juicy target !!! Ian Naumenko, CISSP
  • 10. Why do we care… 2015's biggest hacks, breaches ✘Ashley Madison – 37 million “cheaters” records released ✘Vtech – 4.8 million records including info on 200,000 kids ✘70 million prisoner phone records stolen (attorney-client privilege may have been violated ) ✘FBI's portal breached, thousands of arrestees' data at risk, including access to CIA director John Brennan's private email account (widest external breaches of law enforcement this year) ✘Donald Trump's hotel chain hack hit thousands of hotel visitors. (credit card data including security codes and card numbers) ✘Crowdfunding service Patreon hack led to 15GB data dump ✘Experian breach hit 15 million T-Mobile customers ✘Scottrade hack: Details on 4.6 million customers stolen ✘Excellus BlueCross BlueShield – 10 million records Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 11. Why do we care… 2015's biggest hacks, breaches ✘Carphone Warehouse tops UK breach list with 2.4 million affected ✘CVS, Walgreens, credit card breach, millions of CC, email, postal codes etc., records leaked ✘UCLA Health failed to encrypt 4.5 million records ✘Hacking Team exploits put hundreds of millions of Flash users at risk ✘OPM breach, which affected 22.1 million US government workers (and counting). ✘LastPass customers at risk after millions of passwords accessed ✘The IRS data breach, stolen tax returns of over 100,000 tax payers ✘Anthem (US healthcare provider) breach affected one-third of Americans The annual cost of data breaches in the US is estimated to be $100 billion Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 12. Why do we care…Bradley Manning Forensics discovered WGET scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents… Edward Snowden NSA, General Keith Alexander indicated… “This leaker was a system administrator who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed." He then added that the leak was " ... a huge break in trust and confidence. So there are issues we have got to fix there.” Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 13. So, what do we need to do… To start… 1. We need to understand what Information Security really is all about… 2. We need to understand external and internal threats… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 14. 1. Information Security 101 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 15. Security is not a group in SharePoint… “To many in the SharePoint world, “SharePoint security” is synonymous with “SharePoint permissions” and the Snowden breach is a great example of how permissions are a single point of failure but do not (in and of themselves) equate to a proper security architecture.” http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks- breaches-aspx/
  • 16. Need to understand the CIA … Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 17. Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 18. Confidentiality, Integrity and Availability Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 19. Confidentiality, Integrity and Availability Confidentiality - Confidentiality refers to limiting information access and disclosure to authorized users -- "the right people" -- and preventing access by or disclosure to unauthorized ones -- "the wrong people.“ (Think authentication, permissions and groups in SharePoint, who gets to see what…) Integrity - Integrity refers to the trustworthiness of information resources. It includes the concept of "data integrity" -- namely, that data have not been changed inappropriately, whether by accident or deliberately malign activity. It also includes "origin" or "source integrity" -- that is, that the data actually came from the person or entity you think it did, rather than an imposter. (Think SharePoint’s “Created by” or “Last modified” each time a document is uploaded/changed) Availability - Availability refers, unsurprisingly, to the availability of information resources. An information system that is not available when you need it is almost as bad as none at all. It may be much worse, depending on how reliant the organization has become on a functioning computer and communications infrastructure. (Think Disaster recovery, High Available) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 20. Information Classification… Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity (e.g., impact of applicable laws and regulations). An example of a Data Classification: Public - Information that may or must be open to the general public. Internal - Information that must be guarded due to proprietary, ethical, or privacy considerations. Confidential - Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Regulatory Data Classification - Information that’s protected by statutes and regulations, and governed by a regulatory body or council regarding the investigation, response, reporting and handling of incidents. Spot Solutions Ltd.SharePoint Saturday Vancouver
  • 21. Understand the b’s and the C’s Business ✘ Technology and security are there to support the business, not the other way around ✘ Difference between a manufacturer and a Healthcare provider ✘ Government has different drivers since it's goal is to protect public ✘ Understand the actual business need ✘ Add business value Culture ✘ Heads down, don’t rock the boat ✘ Where's my bonus Assets ✘ Are we spending a Lonnie to save a dime? ✘ What is our risk appetite? ✘ Risk avoidance, reduction, transfer, acceptance ✘ Risk = Likelihood x Impact Business Security Technology Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 22. Security basics: definitions of threat, attack and risk Definition of threat: an object, person, or other entity that represents a constant danger to an asset Definition of vulnerability: a weakness that makes targets susceptible to an attack. Definition of attack: an action taken against a target with the intention of doing harm. Definition of risk: the likelihood of being targeted by a given attack, of an attack being successful, and general exposure to a given threat. Source: Excerpt from CISSP Guide to Security Essentials, chapter 10 Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 23. 2. External and Internal Threats ? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 24. External Threats… ✘Hacktivist ✘Bragging Rights ✘Monetary Gain . ✘Criminal Groups ✘Thrill Seekers ✘Terrorists ✘State Sponsored ✘Organized Crime ✘Industrial Spies Spot Solutions Ltd.
  • 25. Internal Threats…“Most data security threats are internal” internal vulnerabilities in some form or another responsible for a total of 70 percent of breaches Forrester ✘Employees (The ones you always do, but shouldn't trust) ✘Developers (No-one trust these guys) ✘Administrators (All powerful) Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 26. Internal ✘ lost or stolen devices account for 31 percent of all data security breaches ✘ accidental misuse by an employee accounted for another 27 percent of incidents ✘ 12 percent of breaches were caused by malicious insiders ✘ 22 percent of incidents involved either customer or employee data. In addition to reputational damage ✘ 19 percent of breaches involved intellectual property http://blog.trendmicro.com/most-data-security-threats-are-internal-forrester-says/ threats… Spot Solutions Ltd.SharePoint Saturday Vancouver
  • 27. Pieces of a puzzle…. Hackers don’t wave a magic wand and voila, there in…. If organized, Information is gathered over time from multiple sources and techniques, then slowly assembled like a puzzle • BotNets • Hacking • Malware • Pharming • Phishing • Ransomware • Spam • Spoofing • Spyware • Trojan Horses • Viruses • Worms • WiFi Eavesdropping • Email scams • Phishing and Smishing scams • Contests and Scams • Online dating scams • Social network scams • Fraudulent calls • Social engineering Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 28. for SharePoint Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 29. ✘ Don’t assume that just because you have some SP permissions setup that your data is “automatically” safe, this applies on premise, hosted solutions and Office 365 ✘ We need to start treating SharePoint as a business critical repository of important, sensitive business information ✘ Security is not just a checklist, it’s a strategy” ✘ Threats are not just external… ✘ SharePoint Security only stands a chance if there is governance Spot Solutions Ltd. can be vulnerable if we are not carefulis Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 30. Governance is the key ✘ “Governance for SharePoint could be defined as your strategy for delivering the business solutions your end users want, within the scope of the technology and security considerations, while maintaining those business constraints.” ✘ Reducing risk – “just over 43 percent claimed they do not regularly run audits on usage, security, content or permissions, which is frightening to say the least. A governance plan that protects business IP and is aligned with the appropriate compliance regulations helps reduce potentially devastating risk and losses in the future.“ ✘ “Governance actually enables business agility and protects the business from data leaks, risk and lost resources” Great free resource all above quotes from Metalogix ebook – SharePoint Governance best practices by SharePoint MVP Christian Buckly Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 31. On-Premise vs Cloud deployments? Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 32. On-Premise ✘ Pros • All corporate data is kept onsite, in-house • Data sovereignty (i.e. keeping content within the country) • More ability for customization (farm solutions) – don’t have to rely on JavaScript • Knowing your sysadmin team and those who have the key’s to your kingdom • CIA - Confidentiality and Integrity ✘Cons • Less or no internal “security minded” resources available • Limited or over stretched sysadmin resources • More upkeep and maintenance costs for infrastructure • Developers of farm solutions need to follow SSDLC and need to understand the potential impacts of custom code. • CIA - Availability Deployments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 33. Cloud ✘ Pros • Little or no internal infrastructure • Vast Microsoft infrastructure and security resources • Automated backup • Scalability • CIA - Availability ✘Cons • If internet is down or inaccessible, so is your data • All data is available externally • Data is stored wherever Microsoft decides • Data sovereignty – even if in a Canadian Data center, operations owned by a foreign country • Adequately secure against rogue systems administrators and insiders… • CIA – Confidentiality, Availability Deplolyments… Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 34. Finally the good stuff…
  • 35. SharePoint EndPoints Administrative;;inurl:"/_layouts/AdminRecycleBin.aspx" Administrative;;inurl:"/_layouts/bpcf.aspx" Administrative;;inurl:"/_layouts/create.aspx" Administrative;;inurl:"/_layouts/listfeed.aspx" Administrative;;inurl:"/_layouts/managefeatures.aspx" Administrative;;inurl:"/_layouts/mcontent.aspx" Administrative;;inurl:"/_layouts/mngsiteadmin.aspx" Administrative;;inurl:"/_layouts/mngsubwebs.aspx" Administrative;;inurl:"/_layouts/newsbweb.aspx" Administrative;;inurl:"/_layouts/PageSettings.aspx" Administrative;;inurl:"/_layouts/policy.aspx" Administrative;;inurl:"/_layouts/policyconfig.aspx" Administrative;;inurl:"/_layouts/policycts.aspx" Administrative;;inurl:"/_layouts/Policylist.aspx" Administrative;;inurl:"/_layouts/recyclebin.aspx" Administrative;;inurl:"/_layouts/settings.aspx" Administrative;;inurl:"/_layouts/sitemanager.aspx" Administrative;;inurl:"/_layouts/storman.aspx" Administrative;;inurl:"/_layouts/vsubwebs.aspx" Administrative;;inurl:"/_layouts/wrkmng.aspx" Administrative;;inurl:"_admin" inurl:"aspx" Administrative;;inurl:"admin/_layouts" Forms;;inurl:"/_layouts/listedit.aspx" filetype:aspx Forms;;inurl:"/forms/allitems.aspx" filetype:aspx Forms;;inurl:"/pages/forms/allitems.aspx" Forms;;inurl:"Forms" inurl:"allitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"dispform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"editform.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"myitems.aspx" filetype:aspx Forms;;inurl:"Forms" inurl:"newform.aspx" filetype:aspx Forms;;inurl:lists inurl:allitems.aspx Forms;;inurl:lists inurl:editform.aspx Galleries;;inurl:"/_catalogs/" inurl:forms Galleries;;inurl:"/_catalogs/lt/" Galleries;;inurl:"/_catalogs/masterpage" Galleries;;inurl:"/_catalogs/masterpage/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wp/" Galleries;;inurl:"/_catalogs/wp/forms/" Galleries;;inurl:"/_catalogs/wp/forms/allitems.aspx" Galleries;;inurl:"/_catalogs/wt/" Galleries;;inurl:"/_layouts/1033" Galleries;;inurl:"/_layouts/AreaTemplateSettings.aspx" Galleries;;inurl:"/_layouts/ChangeSiteMasterPage.aspx" Galleries;;inurl:"/_layouts/images/" Galleries;;inurl:"/_layouts/mngctype.aspx" Galleries;;inurl:"/_layouts/mngfield.aspx" Galleries;;inurl:"_catalogs/lt/forms/allitems.aspx" Help Pages;;inurl:"/_layouts/help.aspx" ext:aspx Help Pages;;inurl:"_layouts/help.aspx" inurl:"cid0=" ext:aspx Lists;;inurl:"/_layouts/viewlsts.aspx" Lists;;inurl:"/_layouts/mobile/mbllists.aspx" ext:aspx Lists;;inurl:/_layouts/listedit.aspx" Login;;inurl:"/_Layouts" inurl:"authenticate.aspx" filetype:aspx Login;;inurl:"/_Layouts/authenticate.aspx" filetype:aspx Login;;inurl:"/pages/login.aspx" LookNFeel;;inurl:"/_layouts/areanavigationsettings.aspx" LookNFeel;;inurl:"/_layouts/AreaWelcomePage.aspx" LookNFeel;;inurl:"/_layouts/navoptions.aspx" LookNFeel;;inurl:"/_layouts/prjsetng.aspx" LookNFeel;;inurl:"/_layouts/quiklnch.aspx" LookNFeel;;inurl:"/_layouts/themeweb.aspx" LookNFeel;;inurl:"/_layouts/topnav.aspx" Other;;"all site content" site:.com filetype:aspx Other;;"view all site content" "sign in" "people and groups" filetype:aspx Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" Other;;inanchor:"shared documents" inurl:"shared documents" inurl:"forms/" filetype:aspx Other;;intext:"this blog is powered by microsoft sharepoint server 2010" Other;;inurl:"/_layouts" inurl:"allitems.aspx" Other;;inurl:"/_Layouts" inurl:"RedirectPage.aspx" filetype:aspx Other;;inurl:"/_layouts/" filetype:aspx Other;;inurl:"/directory/_layouts/" filetype:aspx Other;;inurl:"/pages/default.aspx" UsersGroups;;inurl:"/_layouts" inurl:"useredit.aspx" UsersGroups;;inurl:"/_layouts/aclinv.aspx" UsersGroups;;inurl:"/_layouts/addrole.aspx" UsersGroups;;inurl:"/_layouts/associatedgroups.aspx" UsersGroups;;inurl:"/_layouts/editgrp.aspx" UsersGroups;;inurl:"/_layouts/editprms.aspx" UsersGroups;;inurl:"/_layouts/groups.aspx" UsersGroups;;inurl:"/_layouts/myinfo.aspx" UsersGroups;;inurl:"/_layouts/MyPage.aspx" UsersGroups;;inurl:"/_layouts/MyTasks.aspx" UsersGroups;;inurl:"/_layouts/newgrp.aspx" UsersGroups;;inurl:"/_layouts/people.aspx" UsersGroups;;inurl:"/_layouts/permsetup.aspx" UsersGroups;;inurl:"/_layouts/picker.aspx" UsersGroups;;inurl:"/_layouts/role.aspx" UsersGroups;;inurl:"/_layouts/user.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" UsersGroups;;inurl:"/_layouts/userdisp.aspx" filetype:aspx UsersGroups;;inurl:"/_layouts/useredit.aspx" UsersGroups;;inurl:"/_layouts/viewgrouppermissions.aspx" WebParts;;inurl:"/_layouts/NewDwp.aspx" WebParts;;inurl:"/_layouts/spcf.aspx" WebParts;;inurl:"/WPPrevw.aspx" WebServices;;intext:"http://schemas.microsoft.com/sharepoint/" filetype:asmx WebServices;;intext:"soapAction=" intext:"http://microsoft.com/webservices/OfficeServer/" filetype:asmx WebServices;;inurl:"/_vti_bin/alerts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/copy.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/dspsts.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/forms.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/lists.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/people.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/Permissions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/search.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sitedata.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/sites.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/usergroup.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/versions.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/views.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webpartpages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/webs.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsdisco.aspx" filetype:aspx WebServices;;inurl:"/_vti_bin/SharepointEmailWS.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/BusinessDataCatalog.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/ExcelService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/UserProfileService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spscrawl.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/AreaService.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/WebPartPages.asmx" filetype:asmx WebServices;;inurl:"/_vti_bin/spsearch.asmx" filetype:asmx Spot Solutions Ltd.Ian Naumenko, CISSP
  • 36. Three click attack… SharePoint Hacking Diggity Project – Bishop Fox http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/ ✘ UserDispEnum • UserDispEnum is a SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can easily be extracted from the SharePoint user profiles. Paste this into your browser: http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 37. SharePoint UserDispEnum Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 38. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 39. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 40. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 41. SharePoint UserDispEnum Spot Solutions Ltd.Ian Naumenko, CISSPSharePoint Saturday Vancouver
  • 42. Also many technical vulnerabilities… ✘ Microsoft Security Bulletin MS15-036 - Elevation of Privilege • April 14, 2015: - The attacker who successfully exploited these vulnerabilities could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the victim’s browser. ✘ Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability • Aug 18, 2015: - It is possible to evade the current security controls on Microsoft SharePoint Online 2013 Web Application by simply adding a blank iframe in the HTML through `embed code` feature. It does not matter what policies have been implemented through the `HTML Field Security` feature. All filters / policies are easily evaded using the above mentioned filter bypass technique and this should be fixed immediately. Please note, once the filter is evaded, it is possible to inject malicious script code without any restrictions and it doesn`t get stripped / filtered even after publishing. Successful exploitation of the vulnerability results in filter evasion of all SharePoint security policies for the websites and allows execution of persistent script code that can result in session hijacking, persistent phishing, stable external redirect, stable external malware loads and persistent vulnerable module context manipulation. Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 43. Microsoft SharePoint Online (cloud) - filter bypass & persistent vulnerability Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low required user interaction and (restricted) privileged SharePoint cloud application user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. 1. Register an office and SharePoint online 2013 account 2. Login to the SharePoint portal as admin 3. Goto your Site and click on Edit 4. Goto Insert and include "embed code" 5. in the Input box, enter the given "Payload" 6. Click Insert and then Save 7. Upon being redirected to the index page, a javascript box should pop up proving the existence of this vulnerability http://www.vulnerability-lab.com/get_content.php?id=1024 SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
  • 44. WGET Script ✘ What is WGET ? • It's a command-line tool to download webpages and their assets ✘ Why does it matter…. • Mass content download ! The following command will download all the content from SharePoint to static pages using WGET. WGET even fixes all links so that most navigation still works. wget -r --no-parent --convert-links -P c:temp<my local folder> --http-user=<domainusername> --http- passwd=<password> http://<path to sharepoint> ✘ What can we do to prevent it’s use… • WGET respects passwords • wget respects, by default, your robots.txt file • webservers can be set up to deny WGET’s default user agent • All that being said, it’s really hard to block  SharePoint Saturday Vancouver Ian Naumenko, CISSP Spot Solutions Ltd.
  • 45. What can we do ?SharePoint Saturday Vancouver Spot Solutions Ltd.Ian Naumenko, CISSP
  • 46. Vulnerability assessment tools and resources… ✘ Assessment tools from vendors such Metalogix - Free Insider Threat Vulnerability tool ShareGate – SharePoint Security Tool AveDoc – Governance Automation ✘ OWASP top 10 ✘ KALI disc (pen testing) ✘ Microsoft Security Center – Security bulletins https://technet.microsoft.com/en-us/library/security/dn631937.aspx ✘ Common Vulnerabilities and Exposures Database http://www.cve.mitre.org/find/index.html Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 47. Points to remember… ✘ SharePoint doesn’t matter, the business matters. (quoted from metalogix Governave Best Practices ebook) ✘ We have to approach cloud services by assuming that your data is being looked at by third parties, including cloud systems administrators, and by governmental agencies… ✘ Most IT platforms, and particularly collaboration-oriented platforms, are challenged to adequately secure against rogue systems administrators and insiders. The solution to securing SharePoint and other IT platforms against insiders will always boil down to careful application of security controls, which are not all ways technical… http://www.nothingbutsharepoint.com/2013/08/30/sharepoint-security-impacts-from-snowden-and-wikileaks-breaches-aspx/ Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 48. Points to remember… (cont…) ✘Don’t take the technology for granted. ✘Governance is most important. “Its not a checklist, it’s a strategy” ✘Educate staff in simple language they can understand and relate ✘Don’t fall into “Tikcky box security” ✘Understand the business needs and culture ✘Carefull with custom code. Always use SSDLC techniques ✘Teach your staff about “Social engineering” ✘Deploy of Defense-in-Depth protection Spot Solutions Ltd.SharePoint Saturday Vancouver Ian Naumenko, CISSP
  • 49. Mike Fleck, Co-Founder of CipherPoint Software wrote… ”If your house gets broken into, but you like the house, keep the house and buy a security system. People love SharePoint for the collaboration efficiencies the platform brings to the enterprise. Add to SharePoint the right set of administrative and technical security controls, and you’ve got a winning combination. It is possible to use the SharePoint platform for use cases involving highly sensitive data!” Conclusion… Ian Naumenko, CISSP, Spot Solutions Ltd.
  • 50. thanks! Any questions? You can find me at ian@spotsolutions.com https://www.linkedin.com/in/iannaumenko @ignhot Credits Special thanks to all the people who made and released these awesome slides for free: Presentation template by SlidesCarnival Photographs by Unsplash SharePoint Saturday Vancouver

Hinweis der Redaktion

  1. We as administrators of business, and of the technology that supports business need to be concerned….
  2. Seen SP sites locked down to the point that it can’t be used
  3. Story about reading clients emails
  4. /_layouts/settings.aspx
  5. Interoperability (pronounced IHN-tuhr-AHP-uhr-uh-BIHL-ih-tee) is a property of a product or system, whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation
  6. Some SP installations are not useable because there is too much security