Overview
The SharePoint Scanner identifies vulnerabilities and misconfigurations in Microsoft SharePoint deployments. It tests for exposed web services, user enumeration, accessible default pages, and configuration issues. The SharePoint Scanner is a vulnerability scanner: it tests SharePoint sites for security weaknesses from an anonymous user’s perspective. It does not add data to your Attack Surface. Identified vulnerabilities are reported as findings.Supported targets
Provide the SharePoint site URL. The scanner performs a black-box assessment from an anonymous user’s perspective.
Tests performed
The SharePoint Scanner runs all tests in a single scan. There are no scan mode options.Test details
Server fingerprinting
Identifies the web server software (IIS), technology stack (ASP.NET), and operating system. This information helps attackers identify potential vulnerabilities.SharePoint fingerprinting
Detects the SharePoint version from theMicrosoftSharePointTeamServices HTTP header. Version detection enables identification of applicable vulnerabilities.
SharePoint configuration
Analyzes HTTP response headers for configuration information disclosure:
This information can help attackers monitor the effectiveness of denial-of-service attacks.
FrontPage Server Extensions
Checks for legacy FrontPage Server Extensions by accessing/_vti_inf.html. FrontPage extensions are deprecated and may contain security vulnerabilities.
SharePoint web services
Tests 26 SharePoint web service endpoints for anonymous access:/_vti_bin/spdisco.aspx: Web service discovery/_vti_bin/lists.asmx: List access/_vti_bin/People.asmx: People service/_vti_bin/UserGroup.asmx: User/group service/_vti_bin/permissions.asmx: Permissions service/_vti_bin/search.asmx: Search service- And 20 more endpoints…
User enumeration
Attempts to enumerate SharePoint users via the/_layouts/userdisp.aspx page. For each user found, the scanner extracts:
- Account name
- Full name
- Work email
- Department
- Job title
- Mobile phone
Default catalogs
Checks anonymous access to default _catalogs pages:/_catalogs/masterpage/Forms/AllItems.aspx/_catalogs/wp/Forms/AllItems.aspx/_catalogs/wt/Forms/Common.aspx
Default forms
Checks anonymous access to 9 default Forms pages including:Forms/DispForm.aspx: Display formsForms/EditForm.aspx: Edit formsForms/NewForm.aspx: New item formsPages/Forms/AllItems.aspx: Page listings
Default layouts
Checks anonymous access to 64+ default _layouts pages (including SharePoint 2013/_layouts/15/ paths):
_layouts/viewlsts.aspx: List views_layouts/people.aspx: People and groups_layouts/settings.aspx: Site settings_layouts/create.aspx: Create page_layouts/sitemanager.aspx: Site manager- And many more administrative pages…
Search engine exposure
Generates Google dork queries to find indexed SharePoint pages:site:example.com inurl:"/_catalogs"site:example.com inurl:"/Forms"site:example.com inurl:"/_layouts"
The scanner provides clickable Google search links. You should manually review the results to identify any sensitive indexed pages.
How it works
The SharePoint Scanner works in these steps:- Server fingerprinting: Identifies web server, technology, and OS
- SharePoint detection: Confirms SharePoint installation and determines version
- Configuration analysis: Examines HTTP headers for information disclosure
- Extension check: Tests for legacy FrontPage extensions
- Web services scan: Tests 26 endpoints for anonymous access
- User enumeration: Attempts to extract user information
- Permission checks: Tests access to _catalogs, Forms, and _layouts pages
- Search exposure: Generates Google dorks for manual review
Follow-up actions
After identifying vulnerabilities:- Remove version headers: Eliminate MicrosoftSharePointTeamServices and other identifying headers
- Disable anonymous access: Restrict web services and default pages to authenticated users
- Protect user information: Disable anonymous access to userdisp.aspx
- Review permissions: Audit _catalogs, Forms, and _layouts page permissions
- Remove FrontPage extensions: If not needed, remove legacy FrontPage components
- Review indexed pages: Check Google dork results and remove sensitive pages from search
- Scan for exploits: Run Sniper to test for SharePoint RCE vulnerabilities
- Schedule regular scans: Set up Scheduled scans for continuous monitoring