Penetration testing Sharepoint

Like any normal web application, Sharepoint may fall prey to OWASP Top 10 vulnerabilities with a special focus on XSS, mostly due to inadequate patching and misconfiguration. On this post, we focus on recon / what sharepoint is exposing.

Google Dorks FTW!:

Some google dorks to help you find sharepoint installations exposed to the web as below. It would be wise to add the parameters “site:yoursite.com < then the below dorks>” to narrow down the search and discover what your sharepoint installation is exposing to the public.

google dork1_

dork4_

googledork3_

googledorks2_

Fuzz:

From the above, we can view a lot of documents, which you may not necessarily need to expose. In addition to the classified documents seen above we can also :

  • discover Sharepoint version installed
  • discover the Sharepoint web services configured on the application
  • enumerate users
  • view default SharePoint _layouts, _catalogs, configuration settings and forms

How?

I prefer to use this fuzzer, but you can use dirbuster, fuzzdb etc. I have over time come up with a list to feed the fuzzer.

Run the scanner as below and discover all the information that your sharepoint installation is exposing to the public 🙂

scan_

Going to the pages with HTTP status code 200, we find:

  1. Frontpage server extensions and sharepoint versions:

_vti_inf_.html

2. Sharepoint web services:

_vti_bin_spdisco_.aspx

3. Default layouts:

viewlsts_

etc…you get the drift.

What to do?

  • Patch.
  • Restrict / remove default pages, forms, layouts

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: