Tip #48: How to secure application pages

Rate this item
(0 votes)

When you create public internet-faced SharePoint site you need to pay attention on how you secure Application pages (_layout folder), to avoid security breach.

SharePoint doesn't secure your application pages, but provides OOTB features to protect pages and minimize site vulnerability. There are couple of ways how SharePoint addresses page protection.

Validating Page Requests

Pages post must be originates from a page within your own site, where you control the logic of which list or file identifier gets posted. But, one could build a separate page (maybe hosted on a different site) that bypasses all those steps and posts a malicious request. One way to avoid such an attack is using

<SharePoint:FormDigest runat="server"/>

which generates a security validation that is passed when the form is submitted; as the request is processed, the validity of the request is verified via a call to the ValidateFormDigest method in SPWeb or SPUtility.

Although Windows SharePoint Services automatically calls ValidateFormDigest with most write operations, you should explicitly call the method before executing code via the RunWithElevatedPrivileges method

Validating User Permissions

In several cases you can rely on validation of user's permissions - base permissions, role permissions and group permissions via Microsoft.SharePoint.SPBasePermissions

Hiding Application Pages

For Publishing sites the recommended approach is not to use \_layout pages, and hide them from crawling by search engines. When you use Publishing feature SharePoint activates "ViewFormPagesLockDown" feature that prevents users from opening any of pages from "_layouts" folder. This feature provides the following:

  1. allows users to only view the Publishing pages in your site, not any of the form or view pages (DispForm.aspx, AllItems.aspx)
  2. disallows anonymous access to pages in the _layouts directory that inherit from LayoutsPageBase.

Unfortunately this is not available with "Team Site" and other templates, and you need to activate this feature manually

stsadm -o activatefeature -url <site collection url> -filename ViewFormPagesLockDown\feature.xml

If you want to have some of the application pages to be visible by anonymous, avoiding activated "ViewFormPagesLockDown" feature, you need to use UnsecuredLayoutsPageBase class for such pages.

 

Source 1, 2, 3

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.