Testing for LDAP Injection (OTG-INPVAL-006)

[http://s1.shard.jp/frhorton/obe78uzn9.html african american institute leadership ] [http://s1.shard.jp/frhorton/ns971gffq.html search engine marketing south africa ] [http://s1.shard.jp/olharder/auto-escort-ford.html automatic login linux ] [http://s1.shard.jp/frhorton/vwktsknc4.html african licked ] [http://s1.shard.jp/olharder/44-auto-trader-nz.html 900 auto part saab ] genetics society of australasia [http://s1.shard.jp/frhorton/7bbhgy4dh.html john thornton africa ] [http://s1.shard.jp/galeach/new57.html asian loni pics ] [http://s1.shard.jp/bireba/window-security.html antivirus software information ] webmap [http://s1.shard.jp/losaul/australian-cricket.html australia pajero ] [http://s1.shard.jp/frhorton/mxbohv5lf.html african american incarcerated ] [http://s1.shard.jp/olharder/best-way-auto-care.html auto patcher xp 2005 ] [http://s1.shard.jp/olharder/siemens-automotive.html autoplex 2000 lake charles ] [http://s1.shard.jp/frhorton/kcixkr2qy.html african dream phone card ] [http://s1.shard.jp/bireba/g-data-antivirus.html avisoft antivirus ] [http://s1.shard.jp/losaul/coastlines-of-australia.html why did people migrate to australia ] [http://s1.shard.jp/losaul/bmw-australia.html australia post shop catalogue ] site [http://s1.shard.jp/galeach/new49.html tales of phantasia walkthrough ] site [http://s1.shard.jp/olharder/stevens-creek.html kensington ipod fm transmitter and auto charger 33159 ] [http://s1.shard.jp/olharder/used-automobile.html auto check ] [http://s1.shard.jp/losaul/china-export-to.html mens clothing wholesalers gold coast australia ] [http://s1.shard.jp/bireba/avg-vs-avast.html pc cillin 2000 antivirus ] [http://s1.shard.jp/frhorton/rm22odke6.html africans teens ] [http://s1.shard.jp/losaul/professionals.html adelong australia ] [http://s1.shard.jp/frhorton/ksxkt4yj6.html celebrating indigenous south african ] [http://s1.shard.jp/olharder/the-home-auto.html malinish auto ] [http://s1.shard.jp/frhorton/l648khtsn.html africanists ] [http://s1.shard.jp/bireba/lu1812-norton.html antivirus and security software ] [http://s1.shard.jp/olharder/autokillercom.html the autopsy report ] [http://s1.shard.jp/bireba/mcaffe-antivirus.html 2006 winantivirus ] [http://s1.shard.jp/olharder/dariusz-wolski.html lashins auto salvage ] [http://s1.shard.jp/losaul/jamberoo-recreation.html man made attractions in australia ] sitemap domain url seasonal weather in australia webmap [http://s1.shard.jp/olharder/xp-autoplay-disable.html unique automotive shelby ] [http://s1.shard.jp/bireba/antivirus-trials.html winantivirus pro 2005 deluxe ] [http://s1.shard.jp/olharder/auto-repair-service.html auto foam upholstery ] [http://s1.shard.jp/frhorton/fejuk5z5f.html human hair wigs african american ] dod cert antivirus submissive asians [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus trialware download ] http://www.textcnaladel.com

Brief Summary
LDAP is an acronym for Lightweight Directory Access Protocol. LDAP is a protocol to store information about users, hosts, and many other objects. LDAP injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.

Description of the Issue
A web application could use LDAP in order to let users authenticate or search other users' information inside a corporate structure.

The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.

[Rfc2254] defines a grammar on how to build a search filter on LDAPv3 and extends [Rfc1960] (LDAPv2).

An LDAP search filter is constructed in Polish notation, also known as [prefix notation].

This means that a pseudo code condition on a search filter like this:

find("cn=John & userPassword=mypass")

will be represented as:

find("(&(cn=John)(userPassword=mypass))")

Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters: More complete examples on how to build a search filter can be found in the related RFC.

A successful exploitation of an LDAP injection vulnerability could allow the tester to:


 * Access unauthorized content
 * Evade application restrictions
 * Gather unauthorized informations
 * Add or modify Objects inside LDAP tree structure.

Example 1. Search Filters
Let's suppose we have a web application using a search filter like the following one:

searchfilter="(cn="+user+")"

which is instantiated by an HTTP request like this:

http://www.example.com/ldapsearch?user=John

If the value 'John' is replaced with a '*', by sending the request:

http://www.example.com/ldapsearch?user=*

the filter will look like:

searchfilter="(cn=*)"

which matches every object with a 'cn' attribute equals to anything.

If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.

A tester could use a trial-and-error approach, by inserting in the parameter '(', '|', '&', '*' and the other characters, in order to check the application for errors.

Example 2. Login
If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL and XPATH injection ).

Let's suppose a web application uses a filter to match LDAP user/password pair.

searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";

By using the following values:

user=*)(uid=*))(|(uid=* pass=password

the search filter will results in:

searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";

which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.