[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] MOSS security

From: "Chris Weber \(Casaba Security\)" <chris@xxxxxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] MOSS security
Date: Thu, 22 May 2008 17:00:17 -0700

David, MOSS has builtin CSRF protections via the
SPUtility.ValidateFormDigest() method inherited from its master page.
There's also builtin XSS protections on ListItem's, but not the document
library - watch out there.  You should also look for the use of
SPSecurity.RunWithElevatedPermissions() when you start building apps on top
of MOSS.  I wrote a bit about these and point to some other references here:

http://lookout.net/2008/04/22/sharepoint-wss-and-moss-application-developmen
t-and-security-testing/

thanks,
Chris






-----Original Message-----
From: David Felio [mailto:david@xxxxxxx] 
Sent: Wednesday, May 21, 2008 6:56 AM
To: WASC Forum
Subject: [WEB SECURITY] MOSS security

After years in the LAMP stack, our company is going towards various MS  
products, including MOSS 2007/WSS 3.0. In various conversations with  
MS folks about security considerations, they always go back to  
permissions. I have not been terribly successful in getting them to  
discuss security beyond/outside setting permissions w/in MOSS correctly.

Does anyone have experience for MOSS (or any SharePoint products) and  
have some ideas about security concerns? One of the things I am  
concerned about is CSRF, since the bulk of the administration is  
handled via a web interface, but there doesn't seem to be much  
existing research out there right now.

Thanks.

David


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] MOSS security
  - From: Prasad Shenoy

References:
- [WEB SECURITY] MOSS security
  - From: David Felio

Prev by Date: Re: [WEB SECURITY] IP address change: relogin
Next by Date: Re: [WEB SECURITY] MOSS security
Previous by thread: Re: [WEB SECURITY] MOSS security
Next by thread: Re: [WEB SECURITY] MOSS security
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site