Is SharePoint 2013 vulnerable to cross-site request forgery?

Question

I am wondering if there is any Microsoft article which states that SharePoint 2013 OOTB is NOT vulnerable to cross-site request forgery! I would appreciate if MVPs can provide here an evidence for this purpose.

Thanks

Answer 1

Hi Rio- I don't know if any article actually exists, but the answer is that SharePoint IS vulnerable, just like anything else. However, steps have been taken to prevent it and give you the ability on your end to make sure it doesn't happen. See the following link for detailed information:

https://social.msdn.microsoft.com/Forums/sharepoint/en-US/357486a3-7104-42da-a4d9-11d532f980c8/cross-site-scripting-in-sharepoint-2013?forum=sharepointgeneral

---

cameron rautmann

Answer 2

Hi, My question is related to cross-site request forgery (CSRF) as stated at https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF). NOT cross site scripting.

Answer 3

Sorry, but the same answer. Read more here:

https://blogs.technet.microsoft.com/rajbugga/2016/05/15/how-sharepoint-is-secured-from-cross-site-request-forgery-csrf-attacks/

---

cameron rautmann

Answer 4

I have gone to thru the article you had mentioned. But neither it says SharePoint prevents CSRF nor explains how to prevent CSRF. Can you explain how to prevent CSRF on OOTB SP2013 if it is not prevented by default?

If prevented by default can you get me an evidence or explain how to obtain an evidence?

Thanks in advance

Answer 5

Hi Rio,

SharePoint uses a FormDigest to prevent common CSRF attacks, and the pages which inherits the OOTB master page will contain the Form Digest canary value.

For pages which does not inherit the OOTB master page, you need to use the Microsoft.SharePoint.WebControls.FormDigest control to write the value into the page.

https://msdn.microsoft.com/en-us/library/office/gg552614%28v=office.14%29.aspx?f=255&MSPPError=-2147217396#bestpractice_crossrequest

For more reference:

http://blog.sandeeprawat.com/2010/09/sharepointpreventing-csrf-using-dynamic.html

https://acveer.wordpress.com/2011/06/22/prevent-csrf-cross-site-request-forgery-attacks-in-sharepoint-application-pages/

Best Regards,

Victoria

---

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Answer 6

How does this work with SharePoint Online?

I mean, there are no Server Controls in SharePoint Online. Right?

---

Karthick S

Answer 7

You don't have control over this with the online version.

---

cameron rautmann