IBM Support

Microsoft SharePoint scanning guidelines

Technote (FAQ)


Question

How do you configure IBM Security AppScan Standard to successfully scan a Microsoft Office SharePoint Portal Server?

Answer

Microsoft Office SharePoint Portal Server is an enterprise information portal which belongs to the Microsoft Office family. Follow the below notes to configure AppScan Standard correctly to scan this type of application:

  1. Privilege Issues

    It is recommended to avoid scanning with Administrative privileges. The administrator has rights to add new articles. AppScan Standard will add or delete articles by accessing the Edit/Add links or the pages. This will create an infinite number of links as the scan progresses and the scan will never end.

    Note: On testing SharePoint with an account that had Administrative privileges, it was found that more than 5000 URLs, along with 3 millions tests were generated without JavaScript Execution (JSX) turned on. When testing with an account that had Anonymous Access, only 1100 URLs were explored.

    It is recommended to use the credentials of a member of the Readers group or an Anonymous user. If other users with higher privileges have to be tested, the pages that allow the users to add Articles should be removed from the scan and tested individually.


  2. The SharePoint built-in groups

    Below is a list of all the types of access that can be given to an account:
    • Reader - Has read-only access to the Web site.
    • Contributor - Can add content to existing document libraries and lists.
    • Web Designer - Can create lists and document libraries and customize pages in the Web site.
    • Administrator - Has full control of the Web site.
    • Content Manager - Can create and manage areas, lists, libraries, and sites.
    • Member - Can view and personalize portal site content and create sites.


  3. Setting up Anonymous Access

    • On the SharePoint Server, navigate to http://localhost/_layouts/1033/spanon.aspx
    • Add the anonymous user with access to all areas and lists.
    • In the Internet Information Service (IIS) configuration, enable anonymous access for the SharePoint site.


      Note
      : Enabling anonymous access will make the portal assume you are an anonymous user by default and hide any administrative links. You will have to forcefully browse to any administrative links.


  4. Platform Authentication

    If you do not want to use anonymous access, you will have to input the username, password and domain of a test user under Scan Configuration > Platform Authentication in AppScan Standard .


  5. Recommended Exclusions

    If you are scanning as a user with administrative privileges, it is recommended that you enter the following exclusions:

    • .*/Deleteweb.aspx

      This page contains the option to delete the entire portal (This page is set to be excluded by default in AppScan Standard)

    • .*/PortalProperties.aspx

      AppScan Standard will modify the site name and main properties to the 1234 value if nothing else is specified. The site logo will also disappear.


      There are other sensitive pages that if accessed by AppScan can create negative results. Be prepared to restore your site from a previous backup after an administrative scan is done.


  6. Scan performance

    The machine used for the scan should be very powerful as the site is vast. The site itself should be installed on a machine with plenty of available resources and it is recommended that the SharePoint database is installed on a different server.

    IIS on the server that contains SharePoint should be configured for maximum performance. Please view the following link on how to increase IIS performance:

    http://technet.microsoft.com/en-ca/library/bb742402.aspx


  7. JavaScript Execution

    The following link:

    http://server_name/_layouts/1033/error.aspx?ErrorText=Your+browser+does+not+support+scripts+This+page+requires+scripts+in+order+to+display+properly

    will show up as being tested very frequently if JSX is not turned on. For maximum application coverage, JSX should be turned on.

  8. Template based pages

    SharePoint sites often use template based pages similar to URL rewriting. If this is the case, the technote How to optimize job and scan configurations for large sites provides examples of how to setup AppScan Standard to scan the site successfully.

    Another method to limit the number of pages scanned would be to simply perform a manual explore of the application, and then kick off the testing (Scan > Test Only).

  9. Common Accuracy Question Generators

    When running a scan, the following vulnerabilities might be displayed. Check to make sure to see if they are false positives or not:

    1. Alternate Version of File Detected / Lotus Domino Database Download

      This vulnerability is usually displayed due to the Custom error pages not being configured correctly. Add the following strings to the custom error pages:
      • Invalid file name for monitoring
      • Cannot run Windows SharePoint Services on this page

    2. Blind SQL Injection

      There have been reports of AppScan Standard finding very high number of Blind SQL Injection false positives in scans that were using Contributor credentials. Try changing the number of threads to one and performing a re-test to see if this reduces the number of vulnerabilities.


  10. Common Real Vulnerabilities

    1. Unsigned __VIEWSTATE Parameter

      The page http://server_name/_layouts/1033/newgrp.aspx is vulnerable. The __VIEWSTATE hidden input is present in the HTML code and the value of the hidden input can be decoded using the AppScan Encode/Decode tool (Tools > Power Tools > Encode/Decode) using the Base64 method.
    2. ASP.NET Custom Error Path Disclosure

      ASP.NET is vulnerable to path disclosure. This is caused by improper use of the "~" character when custom errors are turned on. It will be possible to detect c:\path_to_inexistent_file in the HTML response.

More information about Microsoft SharePoint can be found by going to the following Wikipedia link:

http://en.wikipedia.org/wiki/Windows_SharePoint_Services

Related information

AppScan fails to authenticate a SharePoint application
A Japanese translation is available

Document information

More support for: IBM Security AppScan Standard
Scan: Configuration

Software version: 8.0, 8.5, 8.5.0.1, 8.7, 8.8, 9.0

Operating system(s): Windows

Reference #: 1301935

Modified date: 20 July 2015


Translate this page: