Penetration testing Sharepoint

Like any normal web application, Sharepoint may fall prey to OWASP Top 10 vulnerabilities with a special focus on XSS, mostly due to inadequate patching and misconfiguration. On this post, we focus on recon / what sharepoint is exposing.

Google Dorks FTW!:

Some google dorks to help you find sharepoint installations exposed to the web as below. It would be wise to add the parameters “ < then the below dorks>” to narrow down the search and discover what your sharepoint installation is exposing to the public.

google dork1_





From the above, we can view a lot of documents, which you may not necessarily need to expose. In addition to the classified documents seen above we can also :

  • discover Sharepoint version installed
  • discover the Sharepoint web services configured on the application
  • enumerate users
  • view default SharePoint _layouts, _catalogs, configuration settings and forms


I prefer to use this fuzzer, but you can use dirbuster, fuzzdb etc. I have over time come up with a list to feed the fuzzer.

Run the scanner as below and discover all the information that your sharepoint installation is exposing to the public 🙂


Going to the pages with HTTP status code 200, we find:

  1. Frontpage server extensions and sharepoint versions:


2. Sharepoint web services:


3. Default layouts:


etc…you get the drift.

What to do?

  • Patch.
  • Restrict / remove default pages, forms, layouts

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: