Lucky for SharePoint, it is the first foray into this brave world where the browser is masquerading as an operating system. For the very first time, with SharePoint 2013, we will have apps from different vendors, talking to different domains live in the browser.
Sound fun eh?
Now, SharePoint 2013 uses numerous services etc. to enable cross-domain oAuth protected requests. If you examine the web.config of SharePoint 2013, you’ll see numerous elements like this,
<httpRuntime requestValidationMode="2.0" />
This means, ASP.NET 2.0 style request validation. Request validation was enabled by default. However, it applied only to ASP.NET pages (
.aspx files and their class files) and only when those pages were executing. SharePoint 2013 has chosen to go with the 2.0 model, not the 4.0 model. I can understand why, it is unreasonable for Microsoft to validate every single request that you will send, Microsoft doesn’t know about your incoming requests. As a result, your non-aspx artifacts are wide open to XSS attack.
What kind of attack you may ask?
- Imagine you have a banking app that uses oAuth to securely access your account information.
- Imagine that you have a second app on the same page that shows you funny cat videos from youtube.
The cat videos app can have full client side access to the banking app. Not all apps will have this issue, depends how you write them of course. But certainly some will. This means, the funny cats will be able to access cookies, tamper with the page, even iFrames, and worst case scenario, masquerade as an authenticated you, and allow the cat videos app to do whatever the hell it pleases in the Bank of America app – as you of course. The server will have no clue, and frankly it is becoming laughably easy to do things like click-jacking, frankly I’m worried :).
Remember that in all of these scenarios, the SharePoint server itself is completely unharmed, untouched.
Perhaps I’m worrying too much about a funny cat doing bank transfers in my bank accounts. Am I? Is this the return to the Planet of the apps?