SlideShare une entreprise Scribd logo

Writing Secure SharePoint Code - SharePoint Saturday Toronto

Télécharger en tant que PPTX, PDF
Eli Robillard
Eli Robillard
Technologie
1  sur  49
Eli Robillard is a seven-time Microsoft SharePoint MVP. He specializes in SharePoint architecture and building great teams to manage SharePoint as an enterprise service platform. As a thought leader and educator, Eli co-founded the ASPInsiders in 2003, launched the Toronto SharePoint User Group in 2006, launched the first free SP Saturday conference in 2007, was a co-author of Professional SharePoint 2007 Development and a technical editor of Professional Professional SharePoint 2010 Development (Wrox Press). Eli is engaged with PricewaterhouseCoopers to launch and ensure the operational success of a global internal SharePoint service. He is based in Toronto, Canada. E-mail eli@erobillard.com Twitter @erobillard Blog weblogs.asp.net/erobillard
Tweet about it! #spstoronto @erobillard
SECURITY FUNDAMENTALS
Tasks Architecture Operations Development Testing Security Security Policies Responsible Informed Accountable Threat Modeling Accountable Informed Informed Responsible Security Design Principles Accountable Informed Informed Consulted Architecture and Design Responsible Informed Informed Code Development Accountable Responsible Technology-Specific Threats Accountable Responsible Code Review Responsible Informed Accountable Security Testing Consulted Informed Accountable Accountable Network Security Consulted Responsible Accountable Host Security Consulted Accountable Informed Responsible Application Security Consulted Informed Accountable Responsible Troubleshooting Consulted Accountable Informed Deployment Review Consulted Responsible Informed Informed Accountable
Identify assets Create architectural overview Decompose the application Identify the threats Document the threats Rate the threats
• Cross-site scripting, SQL InjectionInput validation • Cookie replay attacks, Network eavesdroppingAuthentication • Elevation of privilege, Data tampering, Luring attacksAuthorization • Over-privileged accounts, access to admin interfacesConfiguration management • Access to data at-rest, data tamperingSensitive data • Session hijacking, session replay, Man-in-the-middle attacksSession Management • Poor key managementCryptography • Form field, cookie, and query string manipulationParameter Manipulation • Errors reveal implementation, Denial-of-service attacksException Management • User denies accountability, Attackers cover their tracksAuditing and Logging
• Contain attacksCompartmentalize • A breach should not lead to a greater breachUse least privilege • Use multiple gatekeepers, do not allow a single point of failureApply defense in depth • Assume all input is malicious until proven safeDo not trust user input • Authenticate and authorize as early in the process as possibleCheck at the gate • Do not provide details to help an attacker understand the mechanismFail securely • Is the network, host or application the weakest link?Secure the weakest link • Standards, open libraries, and automation all helpCreate secure defaults • If you don't use it, remove or disable itReduce the attack surface
WHAT ARE THE THREATS TO SHAREPOINT?
• Promiscuous headers • Identifiable UI Elements It is easy to identify SharePoint sites • Be aware, some need faster action than others • JavaScript injection is most common • IFRAME click-jacking is possible by default SharePoint is susceptible to known ASP.NET exploits • Files, pages, cookies and history can be cached on the user's system • Static assets in the SharePoint hive do not require authorization • Any web part in the GAC can be used on any site • Any application page in the hive is accessible from every application and site • Web and WCF services are visible for all sites SharePoint is susceptible to SharePoint exploits
X-frame-options : sameorigin <httpCookies httpOnlyCookies="false" requireSSL="true" /> http://technet.microsoft.com/en-us/security/bulletin
http://technet.microsoft.com/en-us/security/advisory/2416728 http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security- vulnerability.aspx http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?PageType=4&ListId={72C1C8 5B-1D2D-4A4A-90DE-CA74A7808184}&pID=941 http://weblogs.asp.net/erobillard/archive/2010/09/21/how-to-protect-sharepoint-servers- from-the-asp-net-vulnerability.aspx Walkthrough: MS 13-070
WALKTHROUGH: MS 13-024 http://technet.microsoft.com/en-us/security/bulletin/ms13-024
Console / PowerShell •Member of Farm Administrators group •SharePoint Installer account Timer Jobs •Farm account SP Services •User impersonation •Application Pool Identity of the Service Application •Managed Account Client-side code •User impersonation Full Trust Code •User Impersonation •Application Pool Identity Custom CAS Policies •User Impersonation •Application Pool Identity Sandbox (Deprecated) •Application Pool Identity Apps •User-only Policy •User + App Policy •App-only Policy
SECURE PRACTICES
SPWeb web = site.OpenWeb(); // do stuff with web SPWeb web = site.OpenWeb(); // do stuff with web myWeb.Dispose(); using (SPWeb web = site.OpenWeb()) { // do stuff with web }
if (HttpContext.Current == null) { // This isn’t being called in a web application }
if (web.DoesUserHavePermissions(SPBasePermissions.ManageLists)) { // Backup list(s) to SkyDrive } http://msdn.microsoft.com/en- us/library/microsoft.sharepoint.spbasepermissions.aspx
/// AntiXss.HtmlEncode(myString) AntiXss.URLEncode(myString)
// Is the ItemId parameter an Int32? if(!Int32.TryParse(Request.QueryString["ItemId"],out ItemId)) { // Exit with an invalid parameter error // Is the ListId parameter a GUID? RegexStringValidator val = new RegexStringValidator(@"^{?[dA-Fa- f]{8}-[dA-Fa-f]{4}-[dA-Fa-f]{4}-[dA-Fa-f]{4}-[dA-Fa- f]{12}}?$"); // If invalid, this will throw a System.ArgumentException val.Validate(Request.QueryString["ListId"]); Guid ListId = new Guid(Request.QueryString["ListId"]);
LayoutsPageBase SPUtility.ValidateFormDigest() AllowUnsafeUpdates
if (HttpContext.Current == null) { // parmAbsUrl is an absolute URL in the format "http://server/sites/mySite/" using (SPSite site = new SPSite(parmAbsoluteUrl)) { using (SPWeb web = site.OpenWeb(parmAbsoluteUrl)) { web.AllowUnsafeUpdates = true; // Update SharePoint objects here web.AllowUnsafeUpdates = false; } } } else // HttpContext.Current has a value { SPUtility.ValidateFormDigest(); // Update SharePoint objects here }
[DllImport("advapi32.dll")] public static extern uint EventActivityIdControl( uint controlCode, ref Guid activityId); public const uint EVENT_ACTIVITY_CTRL_GET_ID = 1; // … // And then use it in code like this: try { // code block goes here } catch { Guid g = Guid.Empty; EventActivityIdControl(EVENT_ACTIVITY_CTRL_GET_ID, ref g); this.Controls.Add(new Label { Text = string.Format("An error occurred with Correlation ID {0}", g) }); }
public string NumberArray { // Require format: 1,2,3,4 get{return _numberArray;} set{ string [] arr = value.split(','); foreach (string item in arr) { int i; if(!int.TryParse(item,out i)) throw new WebPartPageUserException("The item ""+item+"" is not a valid number"); } _numberArray=value; } }
SPWeb web = SPContext.Current.Web; try { // Verify this is a postback from a valid Application Page SPUtility.ValidateFormDigest(); // Verify that the user has a valid permission before elevating if (web.DoesUserHavePermissions(SPBasePermissions.ManageWeb)) { SPSecurity.RunWithElevatedPrivileges(delegate() { // Read data using the SharePoint Object Model here }); } }
// Update a SharePoint property using (SPSite elevatedSite = LitwareSecurity.SharePoint.Security.GetElevatedSite(web.Site) { // Update data using SharePoint object model here. } The secret sauce: GetElevatedSite first tries site.SystemAccount.UserToken. If that doesn’t work it falls back to RWEP() to GetSystemToken(). It then returns an elevated SPSite using this token. Get the source: http://www.danlarson.com/elevated-privilege-with-spsite/
// Call a non-SharePoint resource using (HostingEnvironment.Impersonate()) { // Call an external resource using the credentials of // the Application Pool ID here }
SHAREPOINT 2013 APP MODEL
App Web Remote Web
All or nothing
<?xml version="1.0" encoding="utf-8" ?> <App xmlns=http://schemas.microsoft.com/sharepoint/2012/app/manifest ProductID="{4a07f3bd-803d-45f2-a710-b9e944c3396e} " Version="1.0.0.0" SharePointMinVersion="15.0.0.0" Name="MySampleApp"> <Properties> <Title>My Sample App</Title> <StartPage>http://ContosoApps/default.aspx/?SPHostUrl={HostUrl}</StartPage> <SupportedLocales> <SupportedLocale CultureName="en-US" /> </SupportedLocales> </Properties> <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> </AppPermissionRequests> <AppPrincipal> <RemoteWebApplication ClientId="1ee82b34-7c1b-471b-b27e-ff272accd564" /> </AppPrincipal> </App>
Scope Pertains To Site Collection * A SharePoint Site Collection Web * A SharePoint Web Site List * A SharePoint list Search The SharePoint Search Service Workflow The Windows Azure Workflow Service Taxonomy The SharePoint Taxonomy Service BCS Read access to BCS service data sources
App permission name SharePoint permission name Permissions Read Reader View Items, Open Items, View Versions, Create Alerts, Use Self-Service Site Creation, View Pages Write Contributor Read-Only permissions, plus: Add Items, Edit Items, Delete Items, Delete Versions, Browse Directories, Edit Personal User Information, Manage Personal Views, Add/Remove Personal Web Parts, Update Personal Web Parts Manage Designer Write permissions, plus: Manage Lists, Add and Customize Pages, Apply Themes and Borders, Apply Style Sheets FullControl Full Control All permissions.
Policy Conditions User-only Policy Content database authorization checks succeed if the User has sufficient permissions to perform the action. App-only Policy Content database authorization checks succeed if the App has sufficient permissions, whether or not the current user (if there is a current user) has the same permissions. User and App Policy Content database authorization checks succeed only if both the current User and the App have sufficient permissions to perform the actions that the App is designed to perform. This is required to act on behalf of the user when the App is hosted in a Remote Web and not an App Web.
http://watchguardsecuritycenter.com/tag/sharepoint/ http://www.sharepointsecurity.com/ http://spsecurityscanner.codeplex.com/ http://social.technet.microsoft.com/wiki/contents/articles/12392.sharep oint-2013-resources-for-developers.aspx http://msdn.microsoft.com/en-us/library/ff650760.aspx
Join our local users groupsToronto SharePoint Users Group http://www.tspug.com/ Toronto SharePoint Business Users Group http://www.meetup.com/TSPBUG/
Thanks to our sponsors!

Recommandé

Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 

Recommandé

Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
How to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themHow to avoid top 10 security risks in Java EE applications and how to avoid them
How to avoid top 10 security risks in Java EE applications and how to avoid themMasoud Kalali
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Fun With Spring Security
Fun With Spring SecurityFun With Spring Security
Fun With Spring SecurityBurt Beckwith
 
Spring Security 3
Spring Security 3Spring Security 3
Spring Security 3Jason Ferguson
 
Instant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootInstant Security & Scalable User Management with Spring Boot
Instant Security & Scalable User Management with Spring BootStormpath
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5Jesus Perez Franco
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - SecurityRandy Connolly
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security IntroductionMindfire Solutions
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs DesignIsabelle Mauny
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsStormpath
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013Dinusha Kumarasiri
 
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013NCCOMMS
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 
Share point development 101
Share point development 101Share point development 101
Share point development 101Becky Bertram
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 

Contenu connexe

Tendances

Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIROCygnet Infotech
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsStormpath
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013NCCOMMS
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring SecurityMike Wiesner
 

Tendances (20)

Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web Services
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Spring security
Spring securitySpring security
Spring security
 
J2EE Security with Apache SHIRO
J2EE Security with Apache SHIROJ2EE Security with Apache SHIRO
J2EE Security with Apache SHIRO
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
ASP.NET 13 - Security
ASP.NET 13 - SecurityASP.NET 13 - Security
ASP.NET 13 - Security
 
Spring Security Introduction
Spring Security IntroductionSpring Security Introduction
Spring Security Introduction
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Open APIs Design
Open APIs DesignOpen APIs Design
Open APIs Design
 
Build a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.jsBuild a REST API for your Mobile Apps using Node.js
Build a REST API for your Mobile Apps using Node.js
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
OAuth in SharePoint 2013
OAuth in SharePoint 2013OAuth in SharePoint 2013
OAuth in SharePoint 2013
 
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
SPCA2013 - Developing Provider-Hosted Apps for SharePoint 2013
 
API Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentestersAPI Security - OWASP top 10 for APIs + tips for pentesters
API Security - OWASP top 10 for APIs + tips for pentesters
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Enterprise Security mit Spring Security
Enterprise Security mit Spring SecurityEnterprise Security mit Spring Security
Enterprise Security mit Spring Security
 

Similaire à Writing Secure SharePoint Code - SharePoint Saturday Toronto

Share point development 101
Share point development 101Share point development 101
Share point development 101Becky Bertram
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforcegbreavin
 
Get started with building native mobile apps interacting with SharePoint
Get started with building native mobile apps interacting with SharePointGet started with building native mobile apps interacting with SharePoint
Get started with building native mobile apps interacting with SharePointYaroslav Pentsarskyy [MVP]
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Modelbgerman
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Deep dive into SharePoint 2013 hosted apps - Chris OBrien
Deep dive into SharePoint 2013 hosted apps - Chris OBrienDeep dive into SharePoint 2013 hosted apps - Chris OBrien
Deep dive into SharePoint 2013 hosted apps - Chris OBrienChris O'Brien
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
SharePoint Object Model, Web Services and Events
SharePoint Object Model, Web Services and EventsSharePoint Object Model, Web Services and Events
SharePoint Object Model, Web Services and EventsMohan Arumugam
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeThuan Ng
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
SharePoint and Office Development Workshop
SharePoint and Office Development WorkshopSharePoint and Office Development Workshop
SharePoint and Office Development WorkshopEric Shupps
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Yandex
 
Building Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileBuilding Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileWee Witthawaskul
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...Nik Patel
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular jsStormpath
 

Similaire à Writing Secure SharePoint Code - SharePoint Saturday Toronto (20)

Share point development 101
Share point development 101Share point development 101
Share point development 101
 
Owasp top10salesforce
Owasp top10salesforceOwasp top10salesforce
Owasp top10salesforce
 
Get started with building native mobile apps interacting with SharePoint
Get started with building native mobile apps interacting with SharePointGet started with building native mobile apps interacting with SharePoint
Get started with building native mobile apps interacting with SharePoint
 
Developer’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App ModelDeveloper’s Independence Day: Introducing the SharePoint App Model
Developer’s Independence Day: Introducing the SharePoint App Model
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Deep dive into SharePoint 2013 hosted apps - Chris OBrien
Deep dive into SharePoint 2013 hosted apps - Chris OBrienDeep dive into SharePoint 2013 hosted apps - Chris OBrien
Deep dive into SharePoint 2013 hosted apps - Chris OBrien
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
SharePoint Object Model, Web Services and Events
SharePoint Object Model, Web Services and EventsSharePoint Object Model, Web Services and Events
SharePoint Object Model, Web Services and Events
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
SharePoint and Office Development Workshop
SharePoint and Office Development WorkshopSharePoint and Office Development Workshop
SharePoint and Office Development Workshop
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
 
Building Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed AgileBuilding Mobile (app) Masterpiece with Distributed Agile
Building Mobile (app) Masterpiece with Distributed Agile
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
SharePoint Fest Chicago 2015 - Anatomy of configuring provider hosted add-in...
 
How to Use Stormpath in angular js
How to Use Stormpath in angular jsHow to Use Stormpath in angular js
How to Use Stormpath in angular js
 

Dernier

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Dernier (20)

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Writing Secure SharePoint Code - SharePoint Saturday Toronto

  • 1.
  • 2. Eli Robillard is a seven-time Microsoft SharePoint MVP. He specializes in SharePoint architecture and building great teams to manage SharePoint as an enterprise service platform. As a thought leader and educator, Eli co-founded the ASPInsiders in 2003, launched the Toronto SharePoint User Group in 2006, launched the first free SP Saturday conference in 2007, was a co-author of Professional SharePoint 2007 Development and a technical editor of Professional Professional SharePoint 2010 Development (Wrox Press). Eli is engaged with PricewaterhouseCoopers to launch and ensure the operational success of a global internal SharePoint service. He is based in Toronto, Canada. E-mail eli@erobillard.com Twitter @erobillard Blog weblogs.asp.net/erobillard
  • 3. Tweet about it! #spstoronto @erobillard
  • 5.
  • 6. Tasks Architecture Operations Development Testing Security Security Policies Responsible Informed Accountable Threat Modeling Accountable Informed Informed Responsible Security Design Principles Accountable Informed Informed Consulted Architecture and Design Responsible Informed Informed Code Development Accountable Responsible Technology-Specific Threats Accountable Responsible Code Review Responsible Informed Accountable Security Testing Consulted Informed Accountable Accountable Network Security Consulted Responsible Accountable Host Security Consulted Accountable Informed Responsible Application Security Consulted Informed Accountable Responsible Troubleshooting Consulted Accountable Informed Deployment Review Consulted Responsible Informed Informed Accountable
  • 8. • Cross-site scripting, SQL InjectionInput validation • Cookie replay attacks, Network eavesdroppingAuthentication • Elevation of privilege, Data tampering, Luring attacksAuthorization • Over-privileged accounts, access to admin interfacesConfiguration management • Access to data at-rest, data tamperingSensitive data • Session hijacking, session replay, Man-in-the-middle attacksSession Management • Poor key managementCryptography • Form field, cookie, and query string manipulationParameter Manipulation • Errors reveal implementation, Denial-of-service attacksException Management • User denies accountability, Attackers cover their tracksAuditing and Logging
  • 9. • Contain attacksCompartmentalize • A breach should not lead to a greater breachUse least privilege • Use multiple gatekeepers, do not allow a single point of failureApply defense in depth • Assume all input is malicious until proven safeDo not trust user input • Authenticate and authorize as early in the process as possibleCheck at the gate • Do not provide details to help an attacker understand the mechanismFail securely • Is the network, host or application the weakest link?Secure the weakest link • Standards, open libraries, and automation all helpCreate secure defaults • If you don't use it, remove or disable itReduce the attack surface
  • 10. WHAT ARE THE THREATS TO SHAREPOINT?
  • 11. • Promiscuous headers • Identifiable UI Elements It is easy to identify SharePoint sites • Be aware, some need faster action than others • JavaScript injection is most common • IFRAME click-jacking is possible by default SharePoint is susceptible to known ASP.NET exploits • Files, pages, cookies and history can be cached on the user's system • Static assets in the SharePoint hive do not require authorization • Any web part in the GAC can be used on any site • Any application page in the hive is accessible from every application and site • Web and WCF services are visible for all sites SharePoint is susceptible to SharePoint exploits
  • 12. X-frame-options : sameorigin <httpCookies httpOnlyCookies="false" requireSSL="true" /> http://technet.microsoft.com/en-us/security/bulletin
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. Console / PowerShell •Member of Farm Administrators group •SharePoint Installer account Timer Jobs •Farm account SP Services •User impersonation •Application Pool Identity of the Service Application •Managed Account Client-side code •User impersonation Full Trust Code •User Impersonation •Application Pool Identity Custom CAS Policies •User Impersonation •Application Pool Identity Sandbox (Deprecated) •Application Pool Identity Apps •User-only Policy •User + App Policy •App-only Policy
  • 20.
  • 22. SPWeb web = site.OpenWeb(); // do stuff with web SPWeb web = site.OpenWeb(); // do stuff with web myWeb.Dispose(); using (SPWeb web = site.OpenWeb()) { // do stuff with web }
  • 23. if (HttpContext.Current == null) { // This isn’t being called in a web application }
  • 24. if (web.DoesUserHavePermissions(SPBasePermissions.ManageLists)) { // Backup list(s) to SkyDrive } http://msdn.microsoft.com/en- us/library/microsoft.sharepoint.spbasepermissions.aspx
  • 26. // Is the ItemId parameter an Int32? if(!Int32.TryParse(Request.QueryString["ItemId"],out ItemId)) { // Exit with an invalid parameter error // Is the ListId parameter a GUID? RegexStringValidator val = new RegexStringValidator(@"^{?[dA-Fa- f]{8}-[dA-Fa-f]{4}-[dA-Fa-f]{4}-[dA-Fa-f]{4}-[dA-Fa- f]{12}}?$"); // If invalid, this will throw a System.ArgumentException val.Validate(Request.QueryString["ListId"]); Guid ListId = new Guid(Request.QueryString["ListId"]);
  • 28. if (HttpContext.Current == null) { // parmAbsUrl is an absolute URL in the format "http://server/sites/mySite/" using (SPSite site = new SPSite(parmAbsoluteUrl)) { using (SPWeb web = site.OpenWeb(parmAbsoluteUrl)) { web.AllowUnsafeUpdates = true; // Update SharePoint objects here web.AllowUnsafeUpdates = false; } } } else // HttpContext.Current has a value { SPUtility.ValidateFormDigest(); // Update SharePoint objects here }
  • 29. [DllImport("advapi32.dll")] public static extern uint EventActivityIdControl( uint controlCode, ref Guid activityId); public const uint EVENT_ACTIVITY_CTRL_GET_ID = 1; // … // And then use it in code like this: try { // code block goes here } catch { Guid g = Guid.Empty; EventActivityIdControl(EVENT_ACTIVITY_CTRL_GET_ID, ref g); this.Controls.Add(new Label { Text = string.Format("An error occurred with Correlation ID {0}", g) }); }
  • 30. public string NumberArray { // Require format: 1,2,3,4 get{return _numberArray;} set{ string [] arr = value.split(','); foreach (string item in arr) { int i; if(!int.TryParse(item,out i)) throw new WebPartPageUserException("The item ""+item+"" is not a valid number"); } _numberArray=value; } }
  • 31.
  • 32. SPWeb web = SPContext.Current.Web; try { // Verify this is a postback from a valid Application Page SPUtility.ValidateFormDigest(); // Verify that the user has a valid permission before elevating if (web.DoesUserHavePermissions(SPBasePermissions.ManageWeb)) { SPSecurity.RunWithElevatedPrivileges(delegate() { // Read data using the SharePoint Object Model here }); } }
  • 33. // Update a SharePoint property using (SPSite elevatedSite = LitwareSecurity.SharePoint.Security.GetElevatedSite(web.Site) { // Update data using SharePoint object model here. } The secret sauce: GetElevatedSite first tries site.SystemAccount.UserToken. If that doesn’t work it falls back to RWEP() to GetSystemToken(). It then returns an elevated SPSite using this token. Get the source: http://www.danlarson.com/elevated-privilege-with-spsite/
  • 34. // Call a non-SharePoint resource using (HostingEnvironment.Impersonate()) { // Call an external resource using the credentials of // the Application Pool ID here }
  • 35.
  • 39. <?xml version="1.0" encoding="utf-8" ?> <App xmlns=http://schemas.microsoft.com/sharepoint/2012/app/manifest ProductID="{4a07f3bd-803d-45f2-a710-b9e944c3396e} " Version="1.0.0.0" SharePointMinVersion="15.0.0.0" Name="MySampleApp"> <Properties> <Title>My Sample App</Title> <StartPage>http://ContosoApps/default.aspx/?SPHostUrl={HostUrl}</StartPage> <SupportedLocales> <SupportedLocale CultureName="en-US" /> </SupportedLocales> </Properties> <AppPermissionRequests> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web/list" Right="Write"> <Property Name="BaseTemplateId" Value="101"/> </AppPermissionRequest> </AppPermissionRequests> <AppPrincipal> <RemoteWebApplication ClientId="1ee82b34-7c1b-471b-b27e-ff272accd564" /> </AppPrincipal> </App>
  • 40. Scope Pertains To Site Collection * A SharePoint Site Collection Web * A SharePoint Web Site List * A SharePoint list Search The SharePoint Search Service Workflow The Windows Azure Workflow Service Taxonomy The SharePoint Taxonomy Service BCS Read access to BCS service data sources
  • 41. App permission name SharePoint permission name Permissions Read Reader View Items, Open Items, View Versions, Create Alerts, Use Self-Service Site Creation, View Pages Write Contributor Read-Only permissions, plus: Add Items, Edit Items, Delete Items, Delete Versions, Browse Directories, Edit Personal User Information, Manage Personal Views, Add/Remove Personal Web Parts, Update Personal Web Parts Manage Designer Write permissions, plus: Manage Lists, Add and Customize Pages, Apply Themes and Borders, Apply Style Sheets FullControl Full Control All permissions.
  • 42. Policy Conditions User-only Policy Content database authorization checks succeed if the User has sufficient permissions to perform the action. App-only Policy Content database authorization checks succeed if the App has sufficient permissions, whether or not the current user (if there is a current user) has the same permissions. User and App Policy Content database authorization checks succeed only if both the current User and the App have sufficient permissions to perform the actions that the App is designed to perform. This is required to act on behalf of the user when the App is hosted in a Remote Web and not an App Web.
  • 43.
  • 44.
  • 45.
  • 47.
  • 48. Join our local users groupsToronto SharePoint Users Group http://www.tspug.com/ Toronto SharePoint Business Users Group http://www.meetup.com/TSPBUG/
  • 49. Thanks to our sponsors!

Notes de l'éditeur

  1. Thanks to DakshKhullar for suggesting improvements to this presentation
  2. Where you do not have control, be aware
  3. Responsible, Accountable, Consulted, Informed Sources:Improving Web Application Security, Threats and Countermeasures, Microsoft Press, p. lxxxiImproving .NET Application Performance and Scalability, Microsoft Developer Network, http://msdn.microsoft.com/en-us/library/ff648148.aspx
  4. When rating the threats, disregard whether or not special knowledge might be needed to discover the vulnerability. Assume that your attacker has full knowledge of the system. Describe MS10-070 (a zero day exploit of the application pool identity, allowing the attacker access to the web root including web.config and the SharePoint hive).
  5. Ibid., pp. 13-43
  6. Source: Ibid., p. 11
  7. Click-jacking (a luring attack) is disabled in SharePoint 2013 by default. “Frame-breaking” Javascript code works equally well to prevent wrapping the page in an IFRAME. Note that Apps run in IFRAMES so you wouldn’t protect SP2013 Apps this way, only the SharePoint WFEs. Note that the “HTTP Only” cookie setting breaks out-of-box workflow as these use the InfoPath-style forms rather than WebForms. The error message is, “The form cannot be displayed because the use of session cookies has been disabled in the current browser settings. In order to load the form, session cookies must be allowed.”
  8. Minimum required accounts: http://technet.microsoft.com/en-us/library/ee662513.aspx Reference: Account permissions and security settings in SharePoint 2013http://technet.microsoft.com/en-us/library/cc678863.aspx WSS_ADMIN_WPG, WSS_WPG and other group permissions Registry, File System (including hosts) http://technet.microsoft.com/en-us/library/ee662513.aspx
  9. Plan for App Authentication in SharePoint 2013http://technet.microsoft.com/en-us/library/jj219806.aspx
  10. External Data Reference (BCS): http://msdn.microsoft.com/en-us/library/ff798353.aspxManaged account reference: http://blog.falchionconsulting.com/?s=%22managed+accounts%22
  11. Authorization and authentication for apps in SharePoint 2013http://msdn.microsoft.com/en-us/library/fp142384.aspxWhile presenting to Bermuda SharePoint User Group, Craig Lussier asked: “Where it would be best to store configuration if you are a vendor and want to release a web part to check for membership in a particular AD group before executing an operation (e.g. prior to creating a user in AD)?” While web.config is the easiest place to name your AD group, a better solution would be to create a Central Admin page that would let you configure the web part per site collection, and store the property in the Site Collection Root Web’s property bag. Then the web part could look the value up and if it existed, would execute; or if the propety did not exists, the WP would “know” it is not allowed to be executed in that context.
  12. HP WebInspect is popular but results are mixed with SharePoint sites. MSR’s Gatekeeper project is a promising static analysis tool for JavaScript but no tools implementing its principles appear available: http://research.microsoft.com/en-us/projects/gatekeeper/
  13. Let’s start with an easy one
  14. Based on the following post Martin Laplante (IceFire) suggested that this technique may have performance implications: http://www.alaindeklerk.com/checking-user-permissions-doesuserhavepermissions-vs-catchaccessdeniedexception/ However the alternative – try {} the operation and catch {} it if it fails – does not assert any security before executing the actual operation. Therefore it is a great technique for trapping exceptions before they reach the user or to display a friendly “Access Denied” message, but does not achieve the goal: to confirm that the user has an appropriate permission before running a view or update operation on a SharePoint object.
  15. Anti-Cross Site Scripting Libraryhttp://msdn.microsoft.com/en-us/security/aa973814.aspxReference: Microsoft Anti-Cross Site Scripting Library v1.5: Protecting the Contoso Bookmark Pagehttp://msdn.microsoft.com/en-us/library/aa973813.aspx
  16. Great posts on AllowUnsafeUpdates by Hristo Pavlov: http://hristopavlov.wordpress.com/2008/05/16/what-you-need-to-know-about-allowunsafeupdates/ http://hristopavlov.wordpress.com/2008/05/21/what-you-need-to-know-about-allowunsafeupdates-part-2/
  17. Source: WictorWilén, http://www.wictorwilen.se/Post/Working-with-SharePoint-2010-Correlation-ID-in-PowerShell-and-code.aspx
  18. Source: IshaiSagi, http://www.sharepoint-tips.com/2010/06/validating-web-part-properties.html
  19. Get the source to make this work from Dan Larsen: http://www.danlarson.com/elevated-privilege-with-spsite/ Or paste it from here! using System;using Microsoft.SharePoint; namespace LitwareSecurity{    /// &lt;summary&gt;A class for working with elevated privilege&lt;/summary&gt;    public static class SpSecurityHelper    {        /// &lt;summary&gt;Returns an elevated site&lt;/summary&gt;        /// &lt;param name=&quot;theSite&quot;&gt;        /// The site that you want an elevated instance of.         /// You must dispose of this object unless it is part of SPContext.Current.        /// &lt;/param&gt;        /// &lt;returns&gt;An elevated site context.&lt;/returns&gt;        /// &lt;remarks&gt;Be sure to dispose of objects created from this method.&lt;/remarks&gt;        public static SPSite GetElevatedSite(SPSitetheSite)        {            varsysToken = GetSystemToken(theSite);            return new SPSite(theSite.ID, sysToken);        }         /// &lt;summary&gt;Gets a UserToken for the system account.&lt;/summary&gt;        /// &lt;param name=&quot;site&quot;&gt;&lt;/param&gt;         /// &lt;returns&gt;A usertoken for the system account user./returns&gt;        /// &lt;remarks&gt;Use this token to impersonate the system account&lt;/remarks&gt;        public static SPUserTokenGetSystemToken(SPSite site)        {            site.CatchAccessDeniedException = false;            try {                return site.SystemAccount.UserToken;            }            catch (UnauthorizedAccessException) {                SPUserTokensysToken = null;                 // Only use runwithelevated to grab the system user token.                SPSecurity.RunWithElevatedPrivileges(                    delegate()                    {                        using (SPSitelolcatKiller = new SPSite(site.ID)) {                            sysToken = lolcatKiller.SystemAccount.UserToken;                        }                    }                );                return sysToken;            }        }    }}
  20. Source: SPC205, Ted Pattison (with changes: Cloud-hosted clarified as both Provider and Auto-hosted Apps)
  21. Source: SPS030, Todd Baginski
  22. Reference:App Permissions in SharePoint 2013 http://msdn.microsoft.com/en-us/library/fp142383.aspxList Elements (including out-of-box Base Type IDs) http://msdn.microsoft.com/en-us/library/ms415091.aspx
  23. Reference: Addressing same-origin policy limitations in apps for Office: http://msdn.microsoft.com/en-us/library/fp123589.aspx Configuring SharePoint On-premise Deployment for Apps: http://blogs.technet.com/b/mspfe/archive/2013/01/31/configuring-sharepoint-on-premise-deployments-for-apps.aspx