1. Security concerns in Microsoft SharePoint 2013
White Paper
July 2014
Introduction
When evaluating the using of a product, one of the first concerns for architects and managers is the security implementation. How secure is the data stored within the product?
The same applies to Microsoft’s best-selling product SharePoint. Is data secured in SharePoint? Are there any loop holes in the security implementation that will enable a hacker to steal or manipulate the data or bring down the SharePoint site?
I think data in SharePoint is not well secured. A hacker who has good knowledge about SharePoint can steal data from lists and document libraries including the users/groups and their permissions.
How security can be compromised in SharePoint?
One of the ways data in lists and document libraries in SharePoint can be modified is through SharePoint Web Services. The following URL points to the list of web services available that can be used to manipulate/administer data in SharePoint.
http://msdn.microsoft.com/en-us/library/office/jj193051(v=office.15).aspx
One of the web services in that list is the “WebSvcLists”. MSDN mentions as below about this web service –
The Lists Web service provides methods for working with SharePoint lists, content types, list items, and files.
To access this Web service set a Web reference to http://<site>/_vti_bin/Lists.asmx.
The following URL lists the methods that are available in this web service.
http://msdn.microsoft.com/en-us/library/office/websvclists.lists_members(v=office.15).aspx
One of the methods is “UpdateListItems”. MSDN describes this method as below –
Adds, deletes, or updates the specified items in a list on the current site.
2. Really, all you need is the JavaScript wrapper methods on this Lists Web service and a simple JavaScript method in an html page to update (add/modify/delete) items in a list.
Here are the JavaScript wrapper methods on this Lists Web service.
A simple html with a JavaScript method will do the trick to insert a number of items in a list in a SharePoint web site. All you need is the URL of the SharePoint site, the name of the list and the contributor permission on that list. Here is that simple html page code.
The html code is as below –
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<script src="SPAPI_Core.js" type="text/javascript" language="javascript"></script>
<script src="SPAPI_Lists.js" type="text/javascript" language="javascript"></script>
<script language="javascript">
function AddAListItem() {
var lists = new SPAPI_Lists("http://btr-sp13-02:12000/sites/Hacking");
for (counter = 0; counter < 100; counter++) {
var batchXML = '<Batch OnError="Continue" ListVersion="1" ViewName=""><Method ID="1" Cmd="New"><Field Name="ID" >New</Field><Field Name="Title">Hacked Item' + counter.toString() + '</Field></Method></Batch>';
var result = lists.updateListItems("HackedList", batchXML);
}
alert('Done');
}
</script>
<title>How to hack SharePoint?</title>
</head>
<body>
<input type="button" id="btnAddAListItem" value="Add A List Item" onclick="javascript:AddAListItem();" />
</body>
</html>
I used the site http://btr-sp13-02:12000/sites/Hacking and the list named “HackedList” which has a simple, one default column “Title”. I have the contributor permission on this list.
From the above html code, I was able to insert 100 items in less than a minute. If I am able to insert 100 items, why can’t I insert a hundred thousand or a million items and bring down the site?
3. I do not need access to the server to logon to do this. All I need is the connectivity to the SharePoint site and the required permission to the list. The above is a simple html code. Not a rocket science to learn and understand this simple code.
Your arguments
Now it is your turn to argue. You say why I should be given the contributor permission to the site/list, first of all? Well, consider a company intranet in SharePoint. You are providing a page in the intranet to enable the employees to update their contact information in a list. In order for me as an employee to update my contact information in that list from that page, you have to provide me the contributor permission to the site/list. That’s all I need. With a little JavaScript coding, I can get the names of columns in that list, and can insert a million items using my above html code (with a little modification) from my laptop. I do not need remote access to the server. All these things can be done from my laptop using a simple html code.
You can implement item level security to disable me from modifying records of others and if you disable users from either adding or modifying or deleting items or all, that will be one solution. But that will restrict the collaboration. Or disallow the SOAP calls to access the website, but the whole purpose of the flexibility is broken because no one including the site collection administrator can make SOAP calls. Is there a way where only site collection administrator can add/modify/delete items?
Solution to this issue (need thoughts on how to implement it)
Allow SharePoint web service calls only if it originates from a web page that is hosted in the SharePoint server (for example, a site page or an application page). Disallow SharePoint web service calls from all other sources. This will make sure that if someone wanted to hack a SharePoint site through SharePoint web services, they first need access to the SharePoint server, which they cannot get.
Conclusion
How to overcome this security loop hole requires considerable thoughts. Some say, we can overcome this issue through workflows and event receivers. But I think it will be a very difficult job (almost impossible) and you may have to sacrifice many features that you may provide in the site. And this may slow down the site. A determined hacker can break all these walls and still can bring down a SharePoint site through these web service calls.
I had provided a possible solution for this issue. If you could find another possible solution, please share it with me.
About the Author
Ramasubramanian Thumati Rajendran has over 15 years of experience in technologies ranging from FoxPro, Visual Basic, .NET, SharePoint, SQL Server, Oracle, and MSBI. He is working as a Principal Consultant with ConsultParagon Computer Professionals P Ltd, Bangalore, India
4. (www.consultparagon.com) managing SharePoint and MSBI projects. He can be reached at rrajendran@consultparagon.com. Alternately, he can be reached at his personal email ram.thumati@gmail.com.