Microsoft SharePoint is a widely adopted data-sharing and collaboration platform which is often extended using third-party software. When the data in SharePoint is sensitive and regulated, the security of the platform - as well as the software extensions - must be a top concern for organizations. This white paper will discuss the threats introduced when using third-party SharePoint plug-ins and Web Parts, evaluate the effectiveness of traditional security solutions in respect to these threats, and provide recommendations for hardening SharePoint systems.
Protecting Against Vulnerabilities in SharePoint Add-ons
Microsoft SharePoint is a widely adopted data-sharing and collaboration platform that is
often extended using third-party software. When the data in SharePoint is sensitive and
regulated, the security of the platform—as well as the software extensions—must be a
top concern for organizations.
Seventy percent of organizations are facilitating cross-functional collaboration and
increasing productivity by using Microsoft SharePoint as an intranet, extranet, and to
host public websites1
. This means business-critical data, including regulated or sensitive
information, is stored in most SharePoint environments. In parallel, companies are
leveraging third-party add-ons within the SharePoint platform to get their deployment
off the ground, encourage adoption, and increase employee interaction. This paper will
discuss the threats introduced when using third-party SharePoint plug-ins and Web Parts,
evaluate the effectiveness of traditional security solutions in respect to these threats, and
provide recommendations for hardening SharePoint systems.
What Organizations Store in SharePoint
In an Industry Watch report survey conducted by independent research firm Association
for Information and Image Management (AIIM), results concluded that SharePoint is highly
integrated into companies, especially when compared to most other enterprise IT systems.
The report stated that “…over half of respondents are deploying a single SharePoint system
across the full enterprise”, indicating that SharePoint is becoming an enterprise-wide,
, and not just a tool used in pockets of the organization.
DID YOU KNOW?
Business-critical data, including
regulated or sensitive
information, is stored in most
1. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM.
2. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM.
Protecting Against Vulnerabilities
in SharePoint Add-ons
The principal reasons organizations implement SharePoint are internal collaboration,
content management, project management, records management, corporate intranet,
and as a replacement for file shares3
. These uses are core to running a business and imply
that groups and individuals store a multitude of files with sensitive or regulated data
in SharePoint. For example, consider whether the information below is stored in your
company’s SharePoint deployment:
• Regulated data. Personally identifiable information (PII), credit card information,
personal health information (PHI), and financial records.
Organizations operating in highly regulated industries, such as the Healthcare, Financial
Services, and Federal sectors, commonly leverage SharePoint as a file repository and
extranet portal. HIPAA, FINRA, PCI DSS, ITAR and SOX regulations are some of the primary
motivators for organizations to ensure that data of this nature is not breached.
• Sensitive data. Intellectual property, deal data, competitive information, business plans,
and legal information.
The data that an organization considers to be the most sensitive is not always evident,
especially if IT teams, rather than data owners, are determining how information is to be
classified. As an example, take an international retailer with store operations plans and
strategies stored in SharePoint. While one business unit might assume this data is the
most critical to the organization’s success, management and the Board of Directors may
consider the data pertaining to its international expansion strategy to be top of mind.
SharePoint Starts Small
Companies typically implement SharePoint in a progressive manner, starting with an
intranet for file sharing and content management, and eventually expanding to externally-
facing deployments. Extranets are often used as a portal for customers, partners, employees,
or alumni and commonly for a Board of Directors site. The later versions of SharePoint,
such as SharePoint 2013, offer new functionality for simple and low-cost website creation,
leading a number of Fortune 500 companies to create corporate websites, microsites, and
e-commerce sites with SharePoint.
As more applications are created in SharePoint, and new data is made available to those
accessing SharePoint, the risk of exposure increases. The introduction of third-party widgets
exacerbates the situation. According to AIIM, more than half of organizations implementing
SharePoint use or are: “…planning to use third-party add-on products in order to enhance
functionality. Only a third thinks they will stick with the vanilla product.”4
In addition to
individual components, many organizations outsource SharePoint application development
entirely. With almost thirty percent of all applications being produced by third parties5
organizations need to evaluate the security of SharePoint applications given the amount
of regulated and sensitive information dispersed across the platform.
WHAT INFORMATION IS STORED IN
YOUR SHAREPOINT DEPLOYMENT?
• Personally identifiable information (PII)
• Credit card information
• Personal health information (PHI)
• Financial records
• Intellectual property
• Deal data
• Competitive information
• Business plans
• Legal information
More than half of
SharePoint use or are:
“…planning to use third-
party add-on products
in order to enhance
functionality. Only a third
thinks they will stick with
the vanilla product.”
3. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM.
4. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM.
5. Veracode State of Software Security Report, Volume 4
Why Organizations Use SharePoint Plug-ins
and Web Parts
“Many would argue that the sheer volume of third-party add-ons highlights that SharePoint
is nothing more than a Swiss army knife: a platform that requires users to plug-in“industry-
strength”tools from external suppliers in order to achieve the performance, functionality
and robustness required.”6
Microsoft SharePoint without plug-ins or Web Parts can be compared to an iPhone without
. While consumers use apps for convenience, ease-of-use, collaboration, and
productivity, it’s for these same reasons that IT teams will look to third-party SharePoint
widgets to directly modify the content, appearance, and behavior of SharePoint site pages8
Some of the most popular categories9
of SharePoint plug-ins and Web Parts include:
• Forms. These widgets enhance the feature set of SharePoint forms, allowing admins
to customize and create forms more quickly.
• Document Management. As one of the most common use cases for SharePoint,
organizations leverage this category of add-ons for better distribution of documents
throughout teams or groups; increased organization of documents; template
customization; enhanced SharePoint search capabilities; and more.
• Productivity. Productivity plugins make tasks easier for employees, enabling them to
be completed more quickly.
Additionally, there is business justification for IT teams to put third-party tools in place; this
can also be referred to as a“no-code”strategy for SharePoint. First, there is significant cost
and time associated with custom coding projects within the platform. Stakeholders and
end-users are interested in getting SharePoint deployments off the ground and seeing
employee adoption. Third-party tools enable exactly that, e.g., the ability to deliver in-depth
workflows within a matter of days versus weeks. While administrators can experience
quick wins with external products, incorporating third-party code alongside regulated and
confidential data presents a serious and wide reaching security risk to SharePoint intranets,
extranets, websites, and also their end-users.10
PLUG-IN AND WEB PART DEFINED
Plug-in (a.k.a. extension): A software
component that adds additional functionality
to the larger SharePoint system
Example: SharePoint Outlook Integration
Web Part (a.k.a. web widget): A stand-alone
application that is embedded into SharePoint,
and which pulls in useful information from
Example: Twitter feed
6. David Jones.“The SharePoint Puzzle—adding the missing pieces.”AIIM.
7. Francis Brown.“SharePoint Security: Advanced SharePoint Security Tips and Tools.”Stach & Liu, LLC.
8. “Creating Web Parts for SharePoint.”Microsoft.
9. “Top 50 SharePoint Plug-Ins and Web Parts for 2013.”Portal Front.
10. “The‘No Code’SharePoint Strategy.”PointBeyond Ltd.
Risks Associated with SharePoint Plug-ins
and Web Parts
Practically every SharePoint web application includes components that were not developed
by in-house application programmers. Even if an application were to be completely
homegrown, the web server and operating system were almost certainly coded
elsewhere. According to Veracode, about seventy percent of internally developed code
originates outside of the development team11
. In many cases, developers aren’t aware of
all application components they are using, not to mention their versions. From a business
standpoint, SharePoint administrators and security teams should always assume that
third-party code—coming from partners, vendors, mergers, and acquisitions—contains
Moreover, organizations have no control over fixing weaknesses in code they do not
own. Not only are organizations blind to vulnerabilities when implementing third-party
Web Parts and plug-ins, but they will not be protected until that third-party addresses
those vulnerabilities. These security gaps transform add-ons from useful SharePoint tools
into vehicles for delivering malware and technical attacks. If a vulnerable component is
exploited, such attacks can facilitate serious data loss or server takeover. Applications using
components with known vulnerabilities have the ability to undermine application defenses
and introduce a range of possible attacks and business impacts.
The Latest Addition to the OWASP Top 10
Concerns around third-party applications are of such concern that the Open Web
Application Security Project (OWASP), an industry group focused on web application
security best practices, added this threat to its most recent Top 10 report. The Top 10
report represents the most critical web application security risks as identified by a broad
consensus of application security experts around the world. This addition is the main
difference between the previous OWASP Top 10 and the 2013 Top 10.
This new OWASP Top 10 threat not only reinforces the popularity of third-party
components in application development, but also underscores the risks introduced by
these components. Because thousands of SharePoint instances may include the same
vulnerable code, attackers are highly motivated to locate and exploit vulnerabilities in
these application components. It’s likely that this is why many of today’s high profile
breaches are caused by vulnerable third-party components.
SHAREPOINT SECURITY TIP
SharePoint administrators and security
teams should always assume that third-
party code—coming from partners,
vendors, mergers, and acquisitions—
contains significant vulnerabilities.
SHAREPOINT SECURITY RISK
Applications using components with
known vulnerabilities have the ability
to undermine application defenses and
introduce a range of possible attacks
and business impacts.
11. Veracode State of Software Security Report, Volume 4
Hacking and the Rise of CMS Hacking
Cyber attacks are motivated by a number of reasons—whether they are performed by
profit-driven industrialized hacker groups; by hacktivists looking to target organizations
based on ideology or personal agendas; or by government entities seeking economic
or political gain.
Depending on the motivation, hackers might focus on exploiting one particular
organization, as demonstrated in the December 2012 attack on Yahoo! in which a hacker
exploited a third-party astrology web application and successfully gained full access into
the company’s Microsoft SQL database. Other motivations might inspire“mass hacking”
in which malicious groups or individuals identify vulnerabilities in content management
systems (CMS) and where the same principals apply. SharePoint, one of the leading CMS
systems, is built using mainly Visual C#, Visual Basic, the Microsoft .NET Framework, ASP.NET,
HTML/CSS, Document Object Model, and Silverlight, it integrates with Active Directory, and
is designed for use with Microsoft SQL Server and Internet Explorer12
. As a result, the system
contains its share of potential security challenges.
Microsoft has reported nearly 300 vulnerabilities in SharePoint Server and related products
since its release in 2001, which have rendered the underlying software subject to attacks
such as cross-site scripting (XSS), SQL injection (SQLi), directory (or path) traversal, and
remote file inclusion (RFI)13
. While classic website hacking consists of a single site attack
in which cybercriminals identify the target, find a vulnerability, and set out to exploit it,
CMS hacking, where one CMS vulnerability has the ability to compromise thousands of
organizations, is on the rise.
“Microsoft addressed a zero-day flaw and nine other vulnerabilities in SharePoint that
could allow remote code execution… In addition, the server has two cross-site scripting
vulnerabilities that can be used by an attacker to carry out attacks and run malicious
scripts while masquerading as the logged-in user.”14
– Robert Westervelt on critical
security updates in Microsoft SharePoint, September 2013
Intricacies of a Third-Party Code Exploit
This section explores how an exploit takes place via SQL injection (SQLi), a very common
data extraction technique with the objective to retrieve sensitive data, steal site admin
credentials, or infect an end-user with malware. Even after a decade of web application
development and awareness around web application security, this attack method
is still very relevant and continues to play a major role in application hacking. This is
demonstrated by the fact that SQLi has become highly automated and can be performed
by unsophisticated hackers with the assistance of hacking tools like SQLmap and Havij.
CMS Hacking 101
Content Management Systems
(CMS), like SharePoint, expose
organizations to a new set of
vulnerabilities. This presentation
shows how malicious hackers
exploit vulnerabilities found in
CMS to systematically identify
and attack unsuspecting
organizations and provides
recommendations for attack
12. Gustavo Garcia.“SharePoint: In Defense of Cross-Site Scripting.”
13. Gustavo Garcia.“SharePoint: In Defense of Cross-Site Scripting.”
14. Robert Westervelt.“Patch Tuesday: Microsoft Fixes Critical Outlook Error, Critical SharePoint Flaws.”CRN.
Anatomy of a SQL Injection Attack
Hackers begin by taking advantage of non-validated input vulnerabilities in which
unchecked user input is transformed into database queries. Cyber criminals use a variety
of approaches to identify application weaknesses. First, they may search public vulnerability
databases, which contain thousands of web application and CMS-related vulnerabilities.
Another option is to perform Google searches for weak or exposed applications. Additionally,
hackers are known to leverage vulnerability scanners from vendors in the same way that
organizations do to enhance their security posture.
The next step is to inject SQL commands through the web application which are then
executed by a backend database. Because programmers often connect SQL commands
with user-provided parameters, hackers have the ability to embed SQL commands inside
these parameters. As a result, the attacker has the ability to execute SQL commands on the
backend database server via the web application. While there are multiple approaches to
carrying out this category of attack, the targets are particular database tables that contain
No matter which methods or motivations are behind the exploitation of add-ons and
CMS systems, hackers are after regulated or sensitive data. On one hand, using third-party
add-ons leave the enterprise with full responsibility for securing the application, and on
the other hand, very limited capacity to actually control the code. Because third-party
add‑on code cannot be fixed in-house, it is important that IT and Information Security
teams have the appropriate technology in place to shield the application from attacks,
given the potential vulnerabilities.
Protecting Your SharePoint System
Complementing Traditional Defenses with Dedicated Protection
IT and Security teams continue to spend the vast majority of their cyber security budget
on traditional defenses, with the assumption that next-generation firewalls (NGFW) or
intrusion prevention systems (IPS) will mitigate attacks against third-party plug-ins or
Web Parts. While these defenses are an important and key part of security strategy, they
are ill-equipped to stop attacks of this nature. Even if they were 100% effective, additional
layers would be needed to ensure that critical business data is protected.
These solutions are designed to protect networks and users, and although next-
generation firewalls are“application aware,”meaning that they can prevent users from
visiting phishing sites or tunneling applications in HTTP, they are not designed to protect
web applications from external attacks. Hackers looking to steal sensitive data, such as
intellectual property, deal data or PII, know exactly where to find it: in SharePoint’s unique
application, file, and database elements. The reality is that cyber-attacks have become
increasingly sophisticated, leveraging new hacking methods, with the explicit purpose
of circumventing conventional barriers.
From theYahoo! Hack
In 2012, a hacker claimed
to have breached Yahoo!’s
security systems and acquired
full access to certain Yahoo!
databases, leading to full access
on the server for that domain.
Imperva found that the hacker
was able to determine the
allegedly vulnerable Yahoo!
application and the exact
attack method, SQL injection.
This attack underscores the
security problem posed by
hosting third-party code—
as is often done with cloud-
As an enterprise builds out its security model, it is common that vulnerable components
outside the purview of the organization are not taken into account. It’s important
that IT and security teams always assume that third-party code present in SharePoint
applications contain significant vulnerabilities.
Protect SharePoint Instances Leveraging Third-party Code Against Web Attacks
To protect CMS systems, it’s vital that organizations incorporate security into the software
development life cycle; perform penetration tests and vulnerability assessments on
applications; and deploy SharePoint applications behind a web application firewall
(WAF) in order to detect and block attacks. When third-party code is present, protecting
applications with a web application firewall is essential. Without the ability to fix the code,
a WAF is the only relevant protection option.
As Gartner states in“Security No-Brainer #9,”it’s fundamental that application vulnerability
scanners interface with application firewalls. Analyst Neil McDonald states that once an
application security testing tool identifies a vulnerability, the natural next step is to fix the
problem. However, this presents challenges if the development team is backlogged, or
IT teams don’t have access to the source code15
Furthermore, PCI DSS requirement 6.6 provides two options for protecting web
. This first option is to conduct a vulnerability assessment and incorporate
these assessments into the software development life cycle. The other option is to deploy
a web application firewall in front of the web application.
Harden the SharePoint System
When an add-on is promoted from development to production, the system configuration
must be hardened to disable any irrelevant parts that may help the attacker. In the
hardening process, detailed error messages should be disabled; excessive file and directory
permissions should be restricted; leftover source code should be deleted; and so on.
Three-layers of SharePoint Security
While this paper focuses on the security implications of third-party web applications, parts
and plug-ins, the SharePoint system can be compromised on many levels. In addition to
web-based attacks, both malicious insiders, as well as users that have been compromised
by malware, pose significant risk. Moreover, Microsoft SharePoint does not have sufficient
built-in security capabilities to protect your organization from the wide range of internal
and external SharePoint threats. Imperva SecureSphere™
for SharePoint offers a unique
three-layer approach for protecting all of SharePoint’s web, file, and database resources.
What Next Generation
Web application attacks threaten
nearly every organization with
an online presence. While some
security vendors contend that
their next generation firewalls
can stop Web attacks, these
products lack essential Web
security features, leaving
customers exposed to attack.
Download White Paper
15. Neil MacDonald.“Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application
16. “Information Supplement: Application Reviews and Web Application Firewalls Clarified.”PCI Security Standards Council.
Layer #1: Deploy a Web Application Firewall Tailored to SharePoint
Traditional technologies leave holes in application defenses—defenses that are only
addressed by dedicated web application firewalls. SecureSphere for SharePoint uses market
leading web application firewall technology to protect SharePoint web applications with
vulnerable components. Through defenses such as patented Dynamic Profiling technology,
SQL injection and XSS correlation engines, and detection of Microsoft SharePoint HTTP
protocol violations, SecureSphere identifies zero-day attempts to exploit vulnerable
components. In addition, once a new vulnerability is published, the Imperva Application
Defense Center (ADC) quickly develops a signature or a set of policies to virtually patch the
vulnerability. Through automatic security updates, all SecureSphere appliances receive the
latest security content, and are protected against newly published vulnerabilities.
Many organizations do not know what third-party components are used in their web
applications, nor do they track vulnerability announcements for these components.
As a result, applications built with vulnerable components are often exposed to attack
for long periods of time. The SecureSphere Web Application Firewall solution has multiple
layers of defense to protect applications with third-party components.
Layer #2: Safeguard Files, Folders, and Lists with User Rights Management
and Activity Monitoring
SharePoint administrators often face challenges managing user permissions; maintaining
a comprehensive audit trail of file access activity; and producing reports for compliance
and forensic purposes.
SecureSphere for SharePoint offers a user rights management framework which aggregates
and consolidates user rights across SharePoint sites, providing visibility into effective
SharePoint permissions. This allows organizations to efficiently conduct rights reviews,
eliminate excess rights, and identify dormant users--all of which help ensure that access
is based on business need-to-know.
Additionally, Imperva’s SharePoint solution provides continuous monitoring and a detailed
audit trail of all data access activity, showing the“Who, What, When, Where, and How”of
each data access. This enables security, compliance, and SharePoint administrative staff
to understand exactly who accessed, moved, changed, or deleted data. Furthermore,
SecureSphere offers a flexible security policy framework, which allows businesses to
respond immediately when data access activity deviates from corporate policy.
Natively, SharePoint offers rudimentary reporting capabilities that are insufficient for
compliance reporting and investigating security incidents. SecureSphere for SharePoint
features interactive, on-screen audit analytics to quickly visualize file data access activity
and user rights. Security and compliance teams can use these analytics to identify trends,
patterns, and problems with file activity, and user rights. SecureSphere’s analytics and
reporting help measure risk and document compliance with regulations such as SOX,
PCI, and data privacy laws.
The increasing use of Microsoft
SharePoint to store sensitive
business data and extend
access and collaboration
to partners, customers, and
suppliers has outpaced native
SharePoint security capabilities.
By implementing the five lines
of defense outlined in this
eBook, organizations will be
able to overcome operational
challenges and protect
against both internal and
Layer #3: Protect SharePoint’s Microsoft SQL Database from Tampering
The Microsoft SQL database is at the core of the SharePoint platform—storing all files,
lists, and application data. Internal security requirements and compliance mandates
call for privileged-user monitoring and preventing unauthorized database access. This
also applies to the database component of the SharePoint platform. SecureSphere for
SharePoint monitors all database access and ensures unauthorized access is prevented.
Microsoft SharePoint is one of the most widely deployed and used content management
and collaboration platforms in the world. For the vast majority of organizations, that
means that SharePoint holds and provides application-level access to business-critical
data. As businesses seek a rapid return on their SharePoint investments, it’s common
for them to turn to third-party SharePoint add-ons to expand the power and utility of
SharePoint. From a security and compliance perspective, adding these extensions to an
already complex business system means that additional, tailored measures need to be
put in place to safeguard business data and applications. These include web application
firewall technology, rights management capabilities, and activity monitoring for all
data access. SecureSphere for SharePoint addresses all of these requirements in a single,