[WEB SECURITY] MOSS security

Chris Weber (Casaba Security) chris at casabasecurity.com
Thu May 22 20:00:17 EDT 2008


David, MOSS has builtin CSRF protections via the
SPUtility.ValidateFormDigest() method inherited from its master page.
There's also builtin XSS protections on ListItem's, but not the document
library - watch out there.  You should also look for the use of
SPSecurity.RunWithElevatedPermissions() when you start building apps on top
of MOSS.  I wrote a bit about these and point to some other references here:

http://lookout.net/2008/04/22/sharepoint-wss-and-moss-application-developmen
t-and-security-testing/

thanks,
Chris






-----Original Message-----
From: David Felio [mailto:david at ark.org] 
Sent: Wednesday, May 21, 2008 6:56 AM
To: WASC Forum
Subject: [WEB SECURITY] MOSS security

After years in the LAMP stack, our company is going towards various MS  
products, including MOSS 2007/WSS 3.0. In various conversations with  
MS folks about security considerations, they always go back to  
permissions. I have not been terribly successful in getting them to  
discuss security beyond/outside setting permissions w/in MOSS correctly.

Does anyone have experience for MOSS (or any SharePoint products) and  
have some ideas about security concerns? One of the things I am  
concerned about is CSRF, since the bulk of the administration is  
handled via a web interface, but there doesn't seem to be much  
existing research out there right now.

Thanks.

David


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list