This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for LDAP Injection (OTG-INPVAL-006)"

From OWASP
Jump to: navigation, search
(Example 1. Search Filters)
(References)
 
(42 intermediate revisions by 11 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v2}}
+
{{Template:OWASP Testing Guide v4}}
  
==  Brief Summary ==
+
==  Summary ==
LDAP is an acronym for Lightweight Directory Access Protocol.<br>
+
The Lightweight Directory Access Protocol (LDAP) is used to store information about users, hosts, and many other objects. [[LDAP injection]] is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
It is a paradigm to store informations about users, hosts and many other objects.
 
  
LDAP Injection is a server side attack, which could allow sensitive
 
information about
 
users and hosts represented in an LDAP structure to be disclosed, modified or inserted.<br>
 
This is done by manipulating input parameters afterwards passed to
 
internal search,add and modify functions.
 
  
== Description of the Issue  ==
+
A web application could use LDAP in order to let users authenticate or search other users' information
 +
inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.
  
A web application could use LDAP in order to let a user to
+
[[http://www.ietf.org/rfc/rfc2254.txt Rfc2254]]
login with his own credentials or search other users informations
 
inside a corporate structure.
 
 
 
The primary concept on LDAP Injection is that in occurrence of
 
an LDAP query during execution flow,
 
it is possible to fool a vulnerable web application by using
 
LDAP Search Filters metacharacters.
 
 
 
[[http://www.ietf.org/rfc/rfc2254.txt/rfc/rfc2254.txt Rfc2254]]
 
 
defines a grammar on how to build a search filter on LDAPv3 and
 
defines a grammar on how to build a search filter on LDAPv3 and
 
extends [[http://www.ietf.org/rfc/rfc1960.txt Rfc1960]] (LDAPv2).
 
extends [[http://www.ietf.org/rfc/rfc1960.txt Rfc1960]] (LDAPv2).
  
A LDAP search filter is constructed in Polish notation,  
+
 
 +
An LDAP search filter is constructed in Polish notation,  
 
also known as [[http://en.wikipedia.org/wiki/Polish_notation prefix notation]].
 
also known as [[http://en.wikipedia.org/wiki/Polish_notation prefix notation]].
 +
  
 
This means that a pseudo code condition on a search filter like this:
 
This means that a pseudo code condition on a search filter like this:
Line 33: Line 21:
 
  find("cn=John & userPassword=mypass")
 
  find("cn=John & userPassword=mypass")
  
will result in:
+
will be represented as:
  
 
  find("(&(cn=John)(userPassword=mypass))")
 
  find("(&(cn=John)(userPassword=mypass))")
 +
  
 
Boolean conditions and group aggregations on an  
 
Boolean conditions and group aggregations on an  
Line 55: Line 44:
 
||  >= || Greater than
 
||  >= || Greater than
 
|-
 
|-
||  <= || Lesser than
+
||  <= || Less than
 
|-
 
|-
 
||  *  || Any character
 
||  *  || Any character
Line 62: Line 51:
 
|-
 
|-
 
|}
 
|}
More complete examples on how to build a search filter could be
 
found in related RFC.
 
  
A successful exploitation of LDAP Injection could allow the tester to:
+
 
 +
More complete examples on how to build a search filter can be
 +
found in the related RFC.
 +
 
 +
 
 +
A successful exploitation of an LDAP injection vulnerability could allow the tester to:
  
 
* Access unauthorized content
 
* Access unauthorized content
* Evade Application restrictions
+
* Evade application restrictions
 
* Gather unauthorized informations
 
* Gather unauthorized informations
 
* Add or modify Objects inside LDAP tree structure.
 
* Add or modify Objects inside LDAP tree structure.
  
  
== Black Box testing and example ==
+
== How to Test ==
  
  
=== Example 1. Search Filters ===
+
=== Example 1: Search Filters ===
  
Let's suppose we have web application using a search
+
Let's suppose we have a web application using a search
 
filter like the following one:
 
filter like the following one:
  
Line 87: Line 79:
 
  <nowiki>http://www.example.com/ldapsearch?user=John</nowiki>
 
  <nowiki>http://www.example.com/ldapsearch?user=John</nowiki>
  
If 'John' value is replaced with a '*',
+
If the value 'John' is replaced with a '*',
 
by sending the request:
 
by sending the request:
  
Line 96: Line 88:
 
  searchfilter="(cn=*)"
 
  searchfilter="(cn=*)"
  
which means every object with a 'cn' attribute equals to anything.
+
which matches every object with a 'cn' attribute equals to anything.
  
If the application is vulnerable to LDAP injection
 
depending on LDAP connected user permissions and application execution
 
flow it will be displayed some or all of users attributes.
 
  
A tester could use trial and error approach by inserting
+
If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.
'(', '|', '&', '*' and the other characters in order to check  
+
 
 +
 
 +
A tester could use a trial-and-error approach, by inserting in the parameter
 +
'(', '|', '&', '*' and the other characters, in order to check  
 
the application for errors.
 
the application for errors.
  
=== Example 2. Login ===
 
  
If a web application uses a vulnerable login page with LDAP query for
+
=== Example 2: Login ===
user credentials, it is possible to bypass the check for user/password
+
 
presence by injecting an always true LDAP query (in a similar way to SQL
+
If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL
 
and XPATH injection ).
 
and XPATH injection ).
 +
  
 
Let's suppose a web application uses a filter to match LDAP user/password pair.
 
Let's suppose a web application uses a filter to match LDAP user/password pair.
  
 
searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";
 
searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";
 +
  
 
By using the following values:
 
By using the following values:
Line 124: Line 117:
 
the search filter will results in:
 
the search filter will results in:
  
  searchlogin="(&(uid=*)((uid=*))(|(uid=*))(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";
+
  searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";
 +
 
 +
which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.
 +
 
  
which is correct and always true.
+
==Tools==
This way the tester will gain logged-in status as the first user in LDAP three.
+
Softerra LDAP Browser - http://www.ldapadministrator.com/
  
== Gray Box testing and example ==
 
'''Testing for Topic X vulnerabilities:'''<br>
 
...<br>
 
'''Result Expected:'''<br>
 
...<br><br>
 
 
== References ==
 
== References ==
 +
'''OWASP References'''<br>
 +
[[LDAP Injection Prevention Cheat Sheet]]
 +
 
'''Whitepapers'''<br>
 
'''Whitepapers'''<br>
...<br>
+
Sacha Faust: "LDAP Injection: Are Your Applications Vulnerable?" - http://www.networkdls.com/articles/ldapinjection.pdf<br>
'''Tools'''<br>
+
Bruce Greenblatt: "LDAP Overview" - http://www.directory-applications.com/ldap3_files/frame.htm<br>
...<br>
+
IBM paper: "Understanding LDAP" - http://www.redbooks.ibm.com/redbooks/SG244986.html <br>
{{Category:OWASP Testing Project AoC}}
+
RFC 1960: "A String Representation of LDAP Search Filters" - http://www.ietf.org/rfc/rfc1960.txt<br>
[[OWASP Testing Guide v2 Table of Contents]]
+
"LDAP injection" - http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf<br>
 
 
{{Template:Stub}}
 

Latest revision as of 21:31, 7 February 2017

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Summary

The Lightweight Directory Access Protocol (LDAP) is used to store information about users, hosts, and many other objects. LDAP injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.


A web application could use LDAP in order to let users authenticate or search other users' information inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.

[Rfc2254] defines a grammar on how to build a search filter on LDAPv3 and extends [Rfc1960] (LDAPv2).


An LDAP search filter is constructed in Polish notation, also known as [prefix notation].


This means that a pseudo code condition on a search filter like this:

find("cn=John & userPassword=mypass")

will be represented as:

find("(&(cn=John)(userPassword=mypass))")


Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters:

Metachar Meaning
& Boolean AND
| Boolean OR
 ! Boolean NOT
= Equals
~= Approx
>= Greater than
<= Less than
* Any character
() Grouping parenthesis


More complete examples on how to build a search filter can be found in the related RFC.


A successful exploitation of an LDAP injection vulnerability could allow the tester to:

  • Access unauthorized content
  • Evade application restrictions
  • Gather unauthorized informations
  • Add or modify Objects inside LDAP tree structure.


How to Test

Example 1: Search Filters

Let's suppose we have a web application using a search filter like the following one:

searchfilter="(cn="+user+")"

which is instantiated by an HTTP request like this:

http://www.example.com/ldapsearch?user=John

If the value 'John' is replaced with a '*', by sending the request:

http://www.example.com/ldapsearch?user=*

the filter will look like:

searchfilter="(cn=*)"

which matches every object with a 'cn' attribute equals to anything.


If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.


A tester could use a trial-and-error approach, by inserting in the parameter '(', '|', '&', '*' and the other characters, in order to check the application for errors.


Example 2: Login

If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL and XPATH injection ).


Let's suppose a web application uses a filter to match LDAP user/password pair.

searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";


By using the following values:

user=*)(uid=*))(|(uid=*
 pass=password

the search filter will results in:

searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";

which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.


Tools

Softerra LDAP Browser - http://www.ldapadministrator.com/

References

OWASP References
LDAP Injection Prevention Cheat Sheet

Whitepapers
Sacha Faust: "LDAP Injection: Are Your Applications Vulnerable?" - http://www.networkdls.com/articles/ldapinjection.pdf
Bruce Greenblatt: "LDAP Overview" - http://www.directory-applications.com/ldap3_files/frame.htm
IBM paper: "Understanding LDAP" - http://www.redbooks.ibm.com/redbooks/SG244986.html
RFC 1960: "A String Representation of LDAP Search Filters" - http://www.ietf.org/rfc/rfc1960.txt
"LDAP injection" - http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf