© 2005-2011. all rights reserved to seeker security ltd. cms and other giants the nightmare of...
Post on 21-Dec-2015
217 views
TRANSCRIPT
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
CMS and Other Giants The Nightmare of AppSec
Irene AbezgauzProduct Manager
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Seeker Security
• Formerly Hacktics® (Acquired by EY)
• New Generation of Application Security Testing (IAST)
• Recognized as Top 10 Most Innovative Companies at RSA® 2010.
• Recognized as “Cool Vendor” by Gartner
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Introduction
• Application Security is Important!
• CMS – Mix of 3rd Party and Customizations
• Heavy on Code and Content
• Hard to Secure Properly
• Difficult to Test for Application Security
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Agenda
• Size Matters… If you need to Secure it !
• Somebody Else Did It ! 3rd Party
Platforms
• My CMS has Wings! So does Everybody
Else’s..
• Help!!! What can You do??
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters…If you need to secure it!
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
• Large amount of pages (thousands and much
more …)
• Most are static content pages – dynamically
generated HTMLs, Some aren’t …
• Dynamic and static content mixed
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=vodafone&start=10&perpage=10&area=all
http://www.vodafone.com/content/index/about/about_us/money_transfer.html?q=related%3A%2Fcontent%2Findex%2Fabout%2Fabout_us%2Fmoney_transfer%2Fnews%2Fsafaricom_in_anotherfirstasm-pesaenterssupermarkets
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters
• Often many parameters for each page
• Some are needed for this specific page
• Some are passed as a habit and never actually
used
• For Example – SharePoint Collaboration
Document Center – adding a new announcement
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters • MSO_PageHashCode=11-
1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSet
tings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTA
RGET=ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea%24ctl00%24ctl02%24ctl00%24toolBarTbl
%24RightRptControls
%24ctl00%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x757C078B42F882EFF34A13131
2AC47E01F6F3BECDB0A95043DCC31D76ACA1B0003D9777998AC8C2F0EF95689400DD7A956720CD542AED1B289A3642
6C21C1351%2C13+Sep+2011+15%3A47%3A26+-0000&_ListSchemaVersion_%7Bccae3ae4-3660-4556-89cb-
aab1d923455d
%7D=1&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChange
s=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_S
tartWebPartEditingName=false&__LASTFOCUS=&__VIEWSTATE=&__EVENTVALIDATION=
%2FwEWDQLT6%2FHJCAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo
%2FWeCQLNrvW5AwLZqOGaAgL76ozMDAKL0KiqAgKz7beUCgLsgqilCQLMsJnGAwKx%2Ffn2Cf6RZ0n2OxRqN
%2FFdf3g9LSzbuHEp&ctl00%24PlaceHolderSearchArea%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc
%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m
%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea
%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl
00%24onetidIOFile=a&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea
%24ctl00%24ctl02%24ctl00%24ctl01%24ctl00%24ctl00%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl
00%24TextField=&ctl00%24m%24g_0521eb40_6e59_4eeb_8f78_c20b66c8dcea
%24ctl00%24ctl02%24ctl00%24ctl05%24ctl00%24owshiddenversion=2&__spDummyText1=&__spDummyText2=that’s over 25 parameters!
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters • MSO_PageHashCode=11-
1773449651&MSOWebPartPage_PostbackSource=&MSOTlPn_SelectedWpId=&MSOTlPn_View=0&MSOTlPn_ShowSettings=False&MSOGallery_SelectedLibrary=&MSOGallery_FilterString=&MSOTlPn_Button=none&__EVENTTARGET=ctl00%24m
%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24toolBarTbltop%24RightRptControls
%24ctl01%24ctl00%24diidIOSaveItem&__EVENTARGUMENT=&__REQUESTDIGEST=0x07A4F374C689F1DD4E6BE6D8A27EA8B027C8AB38D6DAB67211AC1D7DE7E57911FC117CC2E16AC8258C32FFC9A5EEC1656C57D26BB829725A54358A18FF97F96B
%2C13+Sep+2011+15%3A44%3A05+-0000&_ListSchemaVersion_%7Ba3701259-1bf8-4cf3-b120-d584603d38ea
%7D=0&MSOSPWebPartManager_DisplayModeName=Browse&MSOWebPartPage_Shared=&MSOLayout_LayoutChanges=&MSOLayout_InDesignMode=&MSOSPWebPartManager_OldDisplayModeName=Browse&MSOSPWebPartManager_StartWebPar
tEditingName=false&__LASTFOCUS=&__VIEWSTATE=
%2FwEPDwUJNjgxOTI1NzMxD2QWAmYPZBYCZg9kFgICAw9kFgoCAQ9kFgIFJmdfM2MzMzcxNGRfNmU1Ml80NTBmX2I3OTJfMWM1NjcxOWQxZjcwD2QWAmYPZBYQAgMPZBYCAgEPZBYGAgEPFgIeB1Zpc2libGVoZAIDD2QWAmYPZBYCAgMPDxYEHg1PbkNsa
WVudENsaWNrBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTseCFRhYkluZGV4AQAAZGQCBQ9kFgJmD2QWAgIDDw8WBh4JQWNjZXNzS2V5BQFDHgRUZXh0BQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1
x1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgUPZBYCZg9kFgICAw9kFgJmD2QWCAIBDw8WDh8EBQtBdHRhY2ggRmlsZR4ISW1hZ2VVcmwFHS9fbGF5b3V0cy9pbWFnZXMvYXR0YWNodGIuZ2lmHwMFA
UkeC05hdmlnYXRlVXJsBR1qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKR8BBR5qYXZhc2NyaXB0OlVwbG9hZEF0dGFjaG1lbnQoKTseEVBlcm1pc3Npb25Db250ZXh0CymKAU1pY3Jvc29mdC5TaGFyZVBvaW50LlV0aWxpdGllcy5QZXJtaXNzaW9uQ29udGV4d
CwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49NzFlOWJjZTExMWU5NDI5YwIeC1Blcm1pc3Npb25zKCmAAU1pY3Jvc29mdC5TaGFyZVBvaW50LlNQQmFzZVBlcm1pc3Npb25zLCB
NaWNyb3NvZnQuU2hhcmVQb2ludCwgVmVyc2lvbj0xMi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj03MWU5YmNlMTExZTk0MjljDUVkaXRMaXN0SXRlbXNkZAIDDw8WAh8AaGRkAgUPDxYMHwQFC0RlbGV0ZSBJdGVtHwUFHC9fbGF
5b3V0cy9pbWFnZXMvZGVsaXRlbS5naWYfAwUBWB8HCysEAh8IKCsFD0RlbGV0ZUxpc3RJdGVtcx8BBSByZXR1cm4gRGVsZXRlSXRlbUNvbmZpcm1hdGlvbigpO2RkAgcPDxYCHgxDUkJ1dHRvbk1vZGULKZ4BTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbH
MuQ2xhaW1SZWxlYXNlVGFza0J1dHRvbitDUkJ1dHRvbk1vZGUsIE1pY3Jvc29mdC5TaGFyZVBvaW50LCBWZXJzaW9uPTEyLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTcxZTliY2UxMTFlOTQyOWMCZGQCCQ9kFgJmD2QWAgIBD2QWAm
YPZBYCAgkPFgIeE1ByZXZpb3VzQ29udHJvbE1vZGULKYgBTWljcm9zb2Z0LlNoYXJlUG9pbnQuV2ViQ29udHJvbHMuU1BDb250cm9sTW9kZSwgTWljcm9zb2Z0LlNoYXJlUG9pbnQsIFZlcnNpb249MTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9
rZW49NzFlOWJjZTExMWU5NDI5YwIWAmYPFgIfCgsrBwJkAgsPZBYGZg9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBDw8WCh4JTWF4TGVuZ3RoAv8BHwIBAAAeCENzc0NsYXNzBQdtcy1sb25nHgdUb29sVGlwBQVUaXRsZR
4EXyFTQgICZGQCAQ9kFgICAQ9kFgJmD2QWAgIJDxYCHwoLKwcCFgJmDxYCHwoLKwcCFgJmD2QWAgIBD2QWAgIBDw8WCh8CAQAAHwwFB21zLWxvbmcfDQUEQm9keR4EUm93cwIPHw4CAhYCHgNkaXIFBG5vbmVkAgIPZBYCAgEPZBYCZg9kFgICCQ8WAh8KC
ysHAhYCZg8WAh8KCysHAhYCZg9kFgICAQ9kFghmDw8WBh8NBQdFeHBpcmVzHwQFCTkvMTQvMjAxMR4MQXV0b1Bvc3RCYWNraBYCHxEFATBkAgEPEA8WAh4LXyFEYXRhQm91bmRnZBAVGAUxMiBBTQQxIEFNBDIgQU0EMyBBTQQ0IEFNBDUgQU0ENiBBTQ
Q3IEFNBDggQU0EOSBBTQUxMCBBTQUxMSBBTQUxMiBQTQQxIFBNBDIgUE0EMyBQTQQ0IFBNBDUgUE0ENiBQTQQ3IFBNBDggUE0EOSBQTQUxMCBQTQUxMSBQTRUYBTEyIEFNBDEgQU0EMiBBTQQzIEFNBDQgQU0ENSBBTQQ2IEFNBDcgQU0EOCBBTQQ5IE
FNBTEwIEFNBTExIEFNBTEyIFBNBDEgUE0EMiBQTQQzIFBNBDQgUE0ENSBQTQQ2IFBNBDcgUE0EOCBQTQQ5IFBNBTEwIFBNBTExIFBNFCsDGGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZxYBZmQCAg8QDxYCHxJnZBAVDAIwMAIwNQIxMAIxNQIyMAIyNQIzMAIzN
QI0MAI0NQI1MAI1NRUMAjAwAjA1AjEwAjE1AjIwAjI1AjMwAjM1AjQwAjQ1AjUwAjU1FCsDDGdnZ2dnZ2dnZ2dnZxYBZmQCAw8PFgIeEkVuYWJsZUNsaWVudFNjcmlwdGhkZAIND2QWAmYPZBYEAgMPFgIfCgsrBwEWAmYPFgIfCgsrBwFkAgUPFgIfCgsrBwEWA
mYPFgIfCgsrBwFkAg8PZBYCZg9kFgICAw8WAh8KCysHAhYCZg9kFgICAQ8WAh8EBf4DPFRSIGlkPXtBRkVGNEU4OC1ENjU4LTQ3QUEtQjVBQi05ODlBMDUyNUQzRDN9PjxURCBjbGFzcz0ibXMtdmIiPjxzcGFuIGRpcj0ibHRyIj48YSB0YWJpbmRleD0xIG9uY2xpY2s9Ik
Rpc3BEb2NJdGVtRXgodGhpcywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ0ZBTFNFJywgJ1NoYXJlUG9pbnQuT3BlbkRvY3VtZW50cy4zJykiIGhyZWY9Imh0dHA6Ly93aW4taWRzNnBqdGczeWMvRG9jcy9MaXN0cy9Bbm5vdW5jZW1lbnRzL0F0dGFjaG1lbnRzLzM5L2EudHh0
Ij5hLnR4dDwvYT48L3NwYW4%2BJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PC9URD48VEQgY2xhc3M9Im1zLXByb3BlcnR5c2hlZXQiPjxJTUcgYWx0PSdEZWxldGUnIFNSQz0iL19sYXlvdXRzL2ltYWdlcy9yZWN0LmdpZiI
%2BJm5ic3A7PGEgdGFiaW5kZXg9MSBocmVmPSJqYXZhc2NyaXB0OlJlbW92ZUF0dGFjaG1lbnRGcm9tU2VydmVyKCd7QUZFRjRFODgtRDY1OC00N0FBLUI1QUItOTg5QTA1MjVEM0QzfScsMSkiPkRlbGV0ZTwvYT48L1REPjwvVFI
%2BZAITDxYCHwoLKwcCZAIXD2QWBGYPZBYCAgEPZBYCZg9kFgQCAQ9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8KCysHAWQCAw9kFgQCAQ8WAh8KCysHARYCZg8WAh8KCysHAWQCAw8WAh8KCysHARYCZg8WAh8K
CysHAWQCAQ9kFgQCAQ9kFgJmD2QWAgIDDw8WBB8BBSFpZiAoIVByZVNhdmVJdGVtKCkpIHJldHVybiBmYWxzZTsfAgEAAGRkAgMPZBYCZg9kFgICAw8PFgYfAwUBQx8EBQZDYW5jZWwfAQVYU1RTTmF2aWdhdGUoJ1x1MDAyZkRvY3NcdTAwMmZMaXN0c1x
1MDAyZkFubm91bmNlbWVudHNcdTAwMmZBbGxJdGVtcy5hc3B4Jyk7cmV0dXJuIGZhbHNlO2RkAgMPZBYEAg0PZBYCZg9kFgYCAQ8WAh8EBSY8c3BhbiBzdHlsZT0ncGFkZGluZy1sZWZ0OjNweCc
%2BPC9zcGFuPmQCAw8PFgQfBAUHTXkgU2l0ZR8GBTVodHRwOi8vd2luLWlkczZwanRnM3ljOjgwL015U2l0ZS9fbGF5b3V0cy9NeVNpdGUuYXNweGRkAgUPFgIfBAU5PHNwYW4gc3R5bGU9J3BhZGRpbmctbGVmdDo0cHg7cGFkZGluZy1yaWdodDozcHgnPnw8L
3NwYW4%2BZAIPD2QWAmYPZBYCAgMPFgIfBAUBfGQCCQ9kFgICAQ9kFgJmD2QWAgIBDw9kFgIeBWNsYXNzBRhtcy1zYnRhYmxlIG1zLXNidGFibGUtZXhkAgsPZBYCAgMPZBYCZg9kFgQCAg9kFgICAw8WAh8AaGQCAw8PFgIfAwUBL2RkAi8PZBYCAgQPZBYCAgE
PZBYCZg8PFgIfAGhkZBgBBUVjdGwwMCRQbGFjZUhvbGRlclRvcE5hdkJhciRQbGFjZUhvbGRlckhvcml6b250YWxOYXYkVG9wTmF2aWdhdGlvbk1lbnUPD2QFFEhvbWVcRG9jdW1lbnQgQ2VudGVyZGmgC8w1IPklANTRTq6iDjFHnwy4&__EVENTVALIDATION=
%2FwEWDwLyy5zyDAKpn5bCCwKN%2F6CDBgL5zYOUAgLqo%2FWeCQLNrvW5AwLZuKB7ArusudMFAsze0tYPAsTg25UCAr%2B9mtoLAua14b0IAovagYEIAsOR0e0DAtDfiqYLc2%2BesVFsr0Dn92NbpXGZ53H0Zq0%3D&ctl00%24PlaceHolderSearchArea
%24ctl01%24ctl00=http%3A%2F%2Fwin-ids6pjtg3yc%2FDocs&ctl00%24PlaceHolderSearchArea%24ctl01%24SBScopesDDL=&InputKeywords=&ctl00%24m
%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl00%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=asdfasdf&ctl00%24m
%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField=%3Cdiv%3E%3C%2Fdiv%3E&ctl00%24m
%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl01%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24TextField_spSave=%3CDIV+class%3DExternalClass10DBD7507AA14EB0A345DB965125EACA%3E%0D%0A%3CDIV%3Easdfasdf
%3C%2FDIV%3E%3C%2FDIV%3E&ctl00%24m%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl04%24ctl02%24ctl00%24ctl00%24ctl04%24ctl00%24ctl00%24DateTimeField%24DateTimeFieldDate=9%2F14%2F2011&ctl00%24m
%24g_3c33714d_6e52_450f_b792_1c56719d1f70%24ctl00%24ctl07%24ctl00%24owshiddenversion=1&attachmentsToBeRemovedFromServer=&RectGifUrl=%2F_layouts%2Fimages%2Frect.gif&fileupload0=&__spDummyText1=&__spDummyText2=That’s just a lot!
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters – manual testing…
• Effort Estimation – even if it took only 3 weeks to
build it - it won’t take 3 days to test it ! not
enough time means hard to reach corners aren’t
reached!
• Difficulty to map out the application
• Hard to Separate between infrastructure and
custom code (SharePoint is easy,
MyDownloadedCMS is not)
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters – manual testing…
• Difficulty to map module relationships – it comes
in here and goes out … god knows where!
• Mixed static and dynamic content
• Code often very large, complex or not available
• A lot of different user types, components and
roles
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters – manual testing…
• Think about an application that has 5 user types
(Superadmin, site admin, supervisor, normal
user, read-only report-generation user)
• 25 different components
• Each user can access only part of the
functionality in each component, let’s say 1/3…
• Now imagine the nightmare of authorization
bypassing testing!
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters – blackbox scanning…
• Difficulties to Crawl – a lot of pages to crawl,
forms to submit, different functionality,
JavaScript to parse
• Redundant testing of same code that is activated
from different locations (i.e. – email to a friend
links –
http://www.site.com/somepage.jsp?func=mailToAFriend
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters – blackbox scanning…
• URL Rewriting / dynamically generated HTML–
difficulty to identify parameters
http://www.ynet.co.il/articles/0,7340,L-
4122262,00.html
http://www.amazon.com/Kindle-Wireless-Reading-Display-
Generation/dp/B003FSUDM4/ref=sa_menu_kdp33/183-
9381915-3823550
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Size Matters – code analysis…
• Often the code is not available
• Sometimes user code is available but not the rest
• A LOT of code to cover
• Cross-module relations are difficult to map – too
many components to map them all
• Massive component reuse – optimization
challenges
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It! 3rd party platforms…
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
• Somebody Else Did It – so it’s inherently secure
(Especially if “Somebody” is a big,
established software firm…)
• … Even if it initially wasn’t, then I didn’t update it
for 5 years and also built 1,000,000 lines of
insecure code on top of it as “minor changes”
• Lack of knowledge on customizations or security
mechanisms
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
• Not using integrated security features – “…
Windows SharePoint Services 3.0 provides 33 pre-
defined permissions that you can use to allow users
to perform specific actions”
• Disabling integrated security features “the XSS
defense was preventing me from using special
characters, so I disabled it for the entire module…”
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
• Updates and Maintenance
• The (not so) good - Somebody else did it… 5
years ago
• The bad - Somebody else did it… but I didn’t
install the updates
• The ugly - Somebody else did it… and won’t
fix it
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
• SharePoint File Upload Persistent XSS
• Authentication and the ability to write to the
SharePoint site are required to exploit this scenario.
• Significant workarounds exist that allow SharePoint
server configurations to be isolated from cross
domain exploitation.
• SharePoint administrators can restrict the uploading
of files to SharePoint servers
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
(Just Released! Found by Seeker™)
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
SharePoint 2007 Central Administration XSS:
XSS Perform Operations on Behalf of Users, Steal
Information, Take Their Cookies, Corrupt Data…
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
When placed directly into textbox – encoded on
client side to prevent XSS!
POST /Reports/Pages/Default.aspx HTTP/1.1 ...
ctl00$MSOTlPn_EditorZone$Edit0g_7aaa0c6d_72f5_4717_9
b22_80188ffdbcde$peopleEditor$hiddenSpanData=
<script>alert(“I didn’t do HTML Encoding!")</script>
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
SharePoint 2007 & 2010 Insecure Redirect
Insecure Redirect Sneakily lead users to a malicious website, there
do bad things to them. Steal their credentials, tell them lies, have
them tell their deepest secrets to www.evil.com!
The Vulnerable Parameter Source, it’s a system wide parameter
used in SharePoint for redirects all over.
Normal Values
Source=/Docs/Announcements/NewForm.aspx
Source=http://mysite/Docs/Announcements/NewForm.aspx
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Somebody Else Did It…
Normal Values anything inside the site!
However, this includes:
Actually, it permits anything starting with
For Example:
Source=localhost/Docs/Announcements.NewItem.aspx
“Localhost” or “127.0.0.1”
Source=Localhost.EvilSite.Com
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
My CMS has Wings!So Does Everybody Else’s
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
My CMS has Wings!
• CommunityMS – Widgetization, Add-Ons, etc.
• UGC – User Generated Content – Web2.0
creates many opportunities for security flaws!
• Administration & Backoffice – leaving the admin
interface publicly accessible, not testing the
admin interface as nobody has access to it.
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
My CMS has Wings!
• Administrative Interfaces? Just Google it!
• SharePoint?
Google for inurl:/docs/lists/announcements
• Wordpress?
Google for inurl:wp-login.php
(remote admin password reset vulnerability, anyone?)
• PeopleSoft?
Google for inurl:maintain_security
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
My CMS has Wings!
• I took a component, and then my custom code
added write permissions to it. It was never
secure enough for write permissions.
• Adding components provided by dubious
entities… (look what I found on Google! It’s just a
widget… )
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
My CMS has Wings!
• Fresh from the Oven, released in the past week:
WordPress WP e-Commerce Plugin 'cs1' Parameter SQL Injection
Vulnerability (14-Sep-2011)
WordPress 'comment_post_ID' Parameter SQL Injection
Vulnerability (12-Sep-2011)
WordPress Easy Comment Uploads Plugin 'upload.php' Arbitrary File
Upload Vulnerability (12-Sep-2011)
WordPress Tune Library Plugin 'letter' Parameter SQL Injection
Vulnerability (10-Sep-2011)
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Help!!!What can You do??
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Help!!!
• Provide enough time for thorough security
testing
• Know which components are present
• Buy your platform from a reputable vendor or
test it fully including platform components
• Spend time to configure your security tools
• Prefer security tools that know your specific
platform
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Help!!!
• Choose widgets and add-ons from a reputable
vendor, and test them properly anyway
• Take an expert who knows it to configure it and
help you customize it
• Use the built-in security features
• Update and maintain it!
• Secure it like any other development process
© 2005-2011. All Rights Reserved to Seeker Security Ltd.
Thank You!