Like any normal web application, Sharepoint may fall prey to OWASP Top 10 vulnerabilities with a special focus on XSS, mostly due to inadequate patching and misconfiguration. On this post, we focus on recon / what sharepoint is exposing.
Google Dorks FTW!:
Some google dorks to help you find sharepoint installations exposed to the web as below. It would be wise to add the parameters “site:yoursite.com < then the below dorks>” to narrow down the search and discover what your sharepoint installation is exposing to the public.
Fuzz:
From the above, we can view a lot of documents, which you may not necessarily need to expose. In addition to the classified documents seen above we can also :
- discover Sharepoint version installed
- discover the Sharepoint web services configured on the application
- enumerate users
- view default SharePoint _layouts, _catalogs, configuration settings and forms
How?
I prefer to use this fuzzer, but you can use dirbuster, fuzzdb etc. I have over time come up with a list to feed the fuzzer.
Run the scanner as below and discover all the information that your sharepoint installation is exposing to the public 🙂
Going to the pages with HTTP status code 200, we find:
- Frontpage server extensions and sharepoint versions:
2. Sharepoint web services:
3. Default layouts:
etc…you get the drift.
What to do?
- Patch.
- Restrict / remove default pages, forms, layouts
Alfie Njeru 