Monday 4 January 2010

Focus on MOSS (SharePoint) Security

(this was posted today to the OWASP O2 Platform mailing list and the OWASP-DotNet Project mailing list
------

Now that the IBM contract has ended, I'm starting this January focused on MOSS (Sharepoint) which is part of a project that I have been working on for a while and that finally I can start publishing my techniques and (some) of my findings.


I think that there are a couple guys here (on O2 or DotNet's mailing lists) that are either currently involved in a Sharepoint related engagement or have done it in the past. For them (and others interested in this topic) please lets collaborate on this one and help to create MOSS Security Center of Excellency here at OWASP :)

There was a MOSS thread a while back that proposed the creation of an OWASP WIKI page to store this research. The link was to 
http://www.owasp.org/index.php/Research_for_Sharepoint but there was no content in there (Mark is there another page?) so I've started populating this Research_for_Sharepoint page with the following topics:



  • 1 Resources

    • 1.1 Microsoft resources
    • 1.2 Other Resources and Documentation
    • 1.3 Presentations
    • 1.4 Other interesting resources
    • 1.5 Other Blogs and Articles
    • 1.6 Security related technical articles
  • 2 Published Security issues

    • 2.1 SharePoint related vulnerabilities and its status
  • 3 MOSS Security related WebParts, Tools & services

    • 3.1 Open Source
    • 3.2 Commercially Supported
  • 4 Dangerous MOSS APIs
  • 5 WebParts Security
This is far from complete and I still have quite a lot of research notes I want to publish (please add the ones you know). Although all topics are now on this page, I expect (as the content grows) this to be split into Multiple MOSS related pages.

I also have a number of MOSS O2 related tools and scripts that I will be publishing very soon :)