Tales of sharepoint API misconfigurations

Introduction

I currently work as a Penetration Tester but never really had any bug bounty experience. While working on a project, I stumbled upon something interesting in sharepoint applications, so I thought I would make my first attempt by sharing this information. Also, I was under the impression that there is not much valueable information you can extract from sharepoint applications from a BlackBox perspective.

So first starting with Lists. According to Microsoft, a list is a collection of data that you can share with your team members and people who you’ve provided access to.

Since sharepoint is working on lists and they can have some critical data stored in them, so you can try to enumerate the lists in the application. It can be done by entering the following URL <HOST>/_api/web/lists

Request to get all lists including guids from the application.

This will give you the lists available for the current user or the publicly available in case you are trying it as an unauthenticated user.

This is an interesting scenario because in the past I have found sensitive information like FTP details including the username and password stored in a list by the developer. I was even able to get emails or comments submitted on the web applications.

Now assuming that the pentester was able to retrieve the lists and now wants to see the items on a list. For that there are a couple of ways but the end result will be the same. You can either use ‘Getlistbytitle’ or you can use the guid for the list and ‘/items’ to fetch the items in that list.

Link: <HOST>/_api/Web/lists/getbytitle(‘<Title of the list>’)/items

Retrieve the items stored in the list based on the list title.

Link: <HOST>/_api/Web/Lists(guid’<guid of the list>’)/Items

Get items stored in list based on list GUID.

After this, you can also try to view or download some files in folders that are accessible to you. In my case I was able to download the audit logs for the application which contained a lot of user activity and internal hostnames for the application server.

This can be done by the below APIs.

Link : /_api/web/GetFolderByServerRelativeUrl(‘<Folder Name>’)/files

Link: /_api/web/GetFolderByServerRelativeUrl(‘<Folder Name>’)/files(‘<Name of the file>’)/$value

The above information depends on the access control implemented in the application. But is there another misconfiguration which can allow us to bypass this access control policy implemented?

Yes, while testing some applications I came across API endpoints which are used to fetch data for the end user. This API call is a POST request which has the name of the endpoint and the filter which the application applies by default to fetch this information.
The components look something like this: /_layouts/15/<Name of the components by the developer>.Components/SPService.aspx/GetItems

It should be noted that the in my case the link started with the name of the developer’s organisation which might be difficult to figure out if the application is not making the API call to these components while you are testing. But the applications I was testing were making an API calls to fetch this data so it was easy to intercept the requests and manipulate them. The API calls look something like this:

GetItems API call trying to access data.

In my case, I was able to bypass the access control of the application and fetch some sensitive data which was not directly accessible to the end-user.
As shown in the below screenshot, in a direct GET request, the endpoint was not directly accessible and I was getting a server response saying that access to this resource is denied for my user. But by entering the same endpoint in the API, I was able to fetch data from this endpoint.

Access denied for the resource while trying to access it directly.

Access denied message for the mentioned resource.

Removing the filters and trying to access the data through SPService.aspx ‘GetItems’ API call allows the end user to retrieve the data.

These were some of the interesting scenarios I came across in sharepoint applications. All these misconfigurations were part of external blackbox activity which allowed me to retrieve internal sensitive information.

I hope after reading this blog, it will help you all to try some new attack vectors in your next assessment if you encounter a sharepoint application. All this information can also be found in the links mentioned in references below and I am sure there is much more that can be done. I hope to explore more of these issues and post some other interesting things I was able to find.

Please feel free to reach out to me on twitter and let me know if you have any suggestions in your mind. (Twitter: https://twitter.com/Ujjaval__ )

References:

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-lists-and-list-items-with-rest

https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/working-with-folders-and-files-with-rest