Friday, 2 February 2018

Security Bugs and resolution in Sharepoint

1. For Cookies HTTP Only Flag Not Set :

Solution:

Set the following property in the web.config

<httpCookies httpOnlyCookies="true" …>
or
This can be  configured by adding  following in global.asax, This file is located at the Virtual Directory of the Web-application , So Go to IISManager  & Right Click on Web-app >> Explore .
protected void Session_Start(Object sender, EventArgs e)
{
 try
 {
  if (Request.IsSecureConnection == true)
  {
                Response.Cookies ["ASP.NET_SessionId"].Secure = true;
  }
 }
 catch (Exception)
 {
 }
}
</SCRIPT>

Reference: https://www.owasp.org/index.php/HttpOnly

2.  User controllable HTML element attribute (potential XSS)"

Solution :

Set the following Properties in the Web.Config

<system.web>
  <pages buffer="true" validateRequest="true" />

</system.web>




3. Prevent Anononymous users from accessing the  layouts directory:

Solution :

Set the following Properties in the Web.Config

<location path="_layouts/viewlsts.aspx">
            <system.web>
                  <authorization>
                       <allow users="domainname\user1,domainname\user2"/>
                        <deny users="?" />
                        <deny users="*" />

                  </authorization>

            </system.web>

      </location>

Reference:



4) View state without MAC signature (Unsure)"vulnerability detected by zapa tool :


Solution :
Set the following Properties in the Web.Config





Pl refer the link to enable MAC Signature

This issue is generated in Internal URL i.e : http://example.com.

So We need to make the change in the web.config file of that port number.



5X-frame-options

Solution:

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Headers icon in the feature list in the middle.
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  6. Click OK to save your changes.

6 ) ASP.Net View State Disclosure:

Solution:

<%@ Page ViewStateEncryptionMode="Always" %>
or 
<configuration>
   <system.web>
      <pages viewStateEncryptionMode="Always">



7) Generic Padding Oracle:

Solution:


<configuration>        

   <system.web>

      <customErrors mode="On" defaultRedirect="~ /Pages/DukhanErrorPage.aspx" />

   </system.web>        

</configuration>


8) Content Security Policy (CSP) Header Not Set:

Solution:

Add the following in HTTP Response of the Port

Content-Security-Policy: default-src 'self'



9) Backup File Disclosure threat:

Solution:

Take out all the unnecessary files in the layouts folder 

10) Server Leaks Information (X-Powered By):

Solution:


To remove the X-Powered-By header from IIS 7...
1.    Launch the Internet Information Services (IIS) Manager
2.    Expand the Sites folder
3.    Select the website to modify and double-click the HTTP Response Headers section in the IIS grouping.
4.    Each custom header is listed here, as the screen shot below shows. Select the header to remove and click the Remove link in the right-hand column.


11) Anti CSRF token Scanner:

Solution:

requestdigest-header = "X-RequestDigest" ":" requestdigest-value
requestdigest-value = 1*TEXT

http://msdn.microsoft.com/en-us/library/dd964175(v=office.12).aspx

http://msdn.microsoft.com/en-us/library/office/gg552614(v=office.14).aspx#bestpractice_crossrequest


12) ASP.NET View State Disclosure:

Solution:


<%@ Page ViewStateEncryptionMode="Always" %>

Or


<configuration>
   <system.web>
      <pages viewStateEncryptionMode="Always">

13) Information-disclosure:

Solution:

As per the Article this is a known issue in Microsoft For More Information Please Refer the Link.
14) Hash Disclosure - Mac OSX salted SHA-1 security threat:
Solution:
As per the Article this is a known issue in Microsoft SP2013.
For More Information Please Refer the Link.
15) Example Passive Scanner: Denial of Service:
Solution:


1.     At a command prompt with administrator permissions, type netsh, press ENTER, type ipsecdosprotection, and then press ENTER again.
2.     Alternatively, if you are at the command prompt but have not entered a netsh context, you can type: netsh ipsecdosprotectioncommand
3.     add allowedkeyingmodule ikev1
For More Information Please Refer the Link. http://technet.microsoft.com/en-us/library/ee621831(v=ws.10).aspx


16) Source Code Disclosure - SVN security threat:

Solution:

17) Hash Disclosure - MD4 / MD5 :

Known Issue in SharePoint 2013 it allows Hash Disclosure please refer the link.
18) Directory listing detected:
1.      Open IIS Manager and navigate to the level you want to manage.
2.     In Features View, double-click Directory Browsing.
3.     In the Actions pane, click Enable if the Directory Browsing feature is disabled and you want to enable it. Or, click Disable if the Directory Browsing feature is enabled and you want to disable it.

19) Disabled Controls" vulnerability
Wont fix : default sharepoint behaviour

20) ASP & ASPX Errors:

Wont fix : default sharepoint behaviour

21) Sharepoint Suffers from XSS and information disclosure flaws:

22) Directory Listing Detected:

http://www.networksteve.com/enterprise/topic.php/SharePoint_Security_Vulnerability/?TopicId=4609&Posts=7
New Solutions:
Framable Page
<system.webServer>
  ...
 
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
 
  ...
</system.webServer>
23) Cookie Does Not Contain The "secure" Attribute:

This can be configured by adding  following in global.asax, This file is located atthe Virtual Directory of the Web-application , So Go to IISManager  & Right Click on Web-app >> Explore .
GLobal .Asax file found under
<SCRIPT language="C#" runat="server">
protected void Session_Start(Object sender, EventArgs e)
{
 try
 {
  if (Request.IsSecureConnection == true)
  {
                Response.Cookies ["ASP.NET_SessionId"].Secure = true;
  }
 }
 catch (Exception)
 {
 }
}
</SCRIPT>
24)

WINDOWS SERVER 2008 OR WINDOWS SERVER 2008 R2 2520 ERROR cHECKING

1.       On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2.       In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3.       In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4.       On the Select Role Services page of the Add Role Services Wizard, select Request Filtering, and then click Next. 
5.       On the Confirm Installation Selections page, click Install.
6.       On the Results page, click Close.













No comments:

Post a Comment