This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for LDAP Injection (OTG-INPVAL-006)"

From OWASP
Jump to: navigation, search
(References)
 
(14 intermediate revisions by 7 users not shown)
Line 1: Line 1:
[http://s1.shard.jp/galeach/new162.html asian american artists ] [http://s1.shard.jp/frhorton/sprmxlc9l.html person search in south africa] [http://s1.shard.jp/frhorton/xy928lwhl.html african canadian helping youths ] [http://s1.shard.jp/losaul/australia-jeri.html australia institute of mathematics ] [http://s1.shard.jp/olharder/auto-title-services.html auto mart usa ] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new126.html yahoo asia education] [http://s1.shard.jp/bireba/symantec-antivirus.html avg antivirus full ] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/losaul/midas-mufflers.html australia education guide ] [http://s1.shard.jp/frhorton/lywbi2iaz.html african american literary agents ] [http://s1.shard.jp/bireba/norton-antivirus.html norton free antivirus scan ] [http://s1.shard.jp/frhorton/v8af479gm.html drifters africa ] [http://s1.shard.jp/losaul/australia-bank-fee.html australian meals made through the gold rush ] [http://s1.shard.jp/galeach/new173.html asian online games] [http://s1.shard.jp/bireba/g-data-antivirus.html mcafee antivirus programs ] [http://s1.shard.jp/losaul/coastlines-of-australia.html australias river map ] [http://s1.shard.jp/losaul/upstream-petroleum.html australia england cricket trophy the ] [http://s1.shard.jp/bireba/alertas-antivirus.html avgfreeantivirus ] [http://s1.shard.jp/bireba/antivirus2003.html antivirus2003] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/losaul/australia-bus.html australia bus conversion home in motor] [http://s1.shard.jp/galeach/new7.html asian tiffin lunchbox] [http://s1.shard.jp/losaul/mazda-australia.html mini minor for sale australia ] [http://s1.shard.jp/galeach/new21.html asian bare feet ] [http://s1.shard.jp/olharder/ch-futterautomat.html ch futterautomat pferd] [http://s1.shard.jp/frhorton/eustnj89y.html african braid picture ] [http://s1.shard.jp/frhorton/k7b9qt4bf.html south african animal ] [http://s1.shard.jp/frhorton/zedmbj3he.html 5th test south africa ] [http://s1.shard.jp/galeach/new116.html asia and south pacific map ] [http://s1.shard.jp/olharder/dariusz-wolski.html dariusz wolski autograph] [http://s1.shard.jp/losaul/miniature-australian.html australian open tv schedule in us ] [http://s1.shard.jp/galeach/new3.html lily asian beaver ] [http://s1.shard.jp/losaul/australia-telescope.html camper van rent australia ] [http://s1.shard.jp/frhorton/6znbfza3k.html africaexperts.com ] [http://s1.shard.jp/frhorton/41nbv47ei.html african american skincare ] [http://s1.shard.jp/frhorton/yrru8gs2g.html african american care skin tip ] [http://s1.shard.jp/frhorton/jp87fttqi.html african championship handball nation ] [http://s1.shard.jp/frhorton/os7hwbkxo.html africa store ] [http://s1.shard.jp/galeach/new33.html asian figure skaters ] [http://s1.shard.jp/olharder/lisa-lopez-autopsy.html assurance automobile du quebec societe ] [http://s1.shard.jp/frhorton/9mxpl8xy1.html usa embasy south africa ] [http://s1.shard.jp/frhorton/lyfh4c7mt.html waltons stationery south africa ] [http://s1.shard.jp/bireba/antiviruscom.html ez antivirus 2005 reviews ] [http://s1.shard.jp/galeach/new6.html pacific asia travel associations ] [http://s1.shard.jp/losaul/quiksilver-pro.html history of indigenous australians ] [http://s1.shard.jp/galeach/new31.html asian clothes wholesalers ] 
+
{{Template:OWASP Testing Guide v4}}
[http://s1.shard.jp/frhorton/obe78uzn9.html african american institute leadership
 
] [http://s1.shard.jp/frhorton/ns971gffq.html search engine marketing south africa
 
] [http://s1.shard.jp/olharder/auto-escort-ford.html automatic login linux
 
] [http://s1.shard.jp/frhorton/vwktsknc4.html african licked
 
] [http://s1.shard.jp/olharder/44-auto-trader-nz.html 900 auto part saab
 
] [http://s1.shard.jp/galeach/new70.html genetics society of australasia] [http://s1.shard.jp/frhorton/7bbhgy4dh.html john thornton africa
 
] [http://s1.shard.jp/galeach/new57.html asian loni pics
 
] [http://s1.shard.jp/bireba/window-security.html antivirus software information
 
] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/losaul/australian-cricket.html australia pajero
 
] [http://s1.shard.jp/frhorton/mxbohv5lf.html african american incarcerated
 
] [http://s1.shard.jp/olharder/best-way-auto-care.html auto patcher xp 2005
 
] [http://s1.shard.jp/olharder/siemens-automotive.html autoplex 2000 lake charles
 
] [http://s1.shard.jp/frhorton/kcixkr2qy.html african dream phone card
 
] [http://s1.shard.jp/bireba/g-data-antivirus.html avisoft antivirus
 
] [http://s1.shard.jp/losaul/coastlines-of-australia.html why did people migrate to australia
 
] [http://s1.shard.jp/losaul/bmw-australia.html australia post shop catalogue
 
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/galeach/new49.html tales of phantasia walkthrough
 
] [http://s1.shard.jp/olharder/autoroll-654.html site] [http://s1.shard.jp/olharder/stevens-creek.html kensington ipod fm transmitter and auto charger 33159
 
] [http://s1.shard.jp/olharder/used-automobile.html auto check
 
] [http://s1.shard.jp/losaul/china-export-to.html mens clothing wholesalers gold coast australia
 
] [http://s1.shard.jp/bireba/avg-vs-avast.html pc cillin 2000 antivirus
 
] [http://s1.shard.jp/frhorton/rm22odke6.html africans teens
 
] [http://s1.shard.jp/losaul/professionals.html adelong australia
 
] [http://s1.shard.jp/frhorton/ksxkt4yj6.html celebrating indigenous south african
 
] [http://s1.shard.jp/olharder/the-home-auto.html malinish auto
 
] [http://s1.shard.jp/frhorton/l648khtsn.html africanists
 
] [http://s1.shard.jp/bireba/lu1812-norton.html antivirus and security software
 
] [http://s1.shard.jp/olharder/autokillercom.html the autopsy report
 
] [http://s1.shard.jp/bireba/mcaffe-antivirus.html 2006 winantivirus
 
] [http://s1.shard.jp/olharder/dariusz-wolski.html lashins auto salvage
 
] [http://s1.shard.jp/losaul/jamberoo-recreation.html man made attractions in australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html sitemap] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/seasonal-weather.html seasonal weather in australia] [http://s1.shard.jp/olharder/autoroll-654.html webmap] [http://s1.shard.jp/olharder/xp-autoplay-disable.html unique automotive shelby
 
] [http://s1.shard.jp/bireba/antivirus-trials.html winantivirus pro 2005 deluxe
 
] [http://s1.shard.jp/olharder/auto-repair-service.html auto foam upholstery
 
] [http://s1.shard.jp/frhorton/fejuk5z5f.html human hair wigs african american
 
] [http://s1.shard.jp/bireba/dod-cert-antivirus.html dod cert antivirus] [http://s1.shard.jp/galeach/new17.html submissive asians] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus trialware download
 
 
http://www.textcnaladel.com
 
{{Template:OWASP Testing Guide v3}}
 
  
==  Brief Summary ==
+
==  Summary ==
LDAP is an acronym for Lightweight Directory Access Protocol. LDAP is a protocol to store information about users, hosts, and many other objects.
+
The Lightweight Directory Access Protocol (LDAP) is used to store information about users, hosts, and many other objects. [[LDAP injection]] is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
[[LDAP injection]] is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted.<br>
 
This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
 
  
== Description of the Issue  ==
 
  
 
A web application could use LDAP in order to let users authenticate or search other users' information
 
A web application could use LDAP in order to let users authenticate or search other users' information
inside a corporate structure.
+
inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.
 
 
The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.
 
  
 
[[http://www.ietf.org/rfc/rfc2254.txt Rfc2254]]
 
[[http://www.ietf.org/rfc/rfc2254.txt Rfc2254]]
Line 56: Line 12:
 
extends [[http://www.ietf.org/rfc/rfc1960.txt Rfc1960]] (LDAPv2).
 
extends [[http://www.ietf.org/rfc/rfc1960.txt Rfc1960]] (LDAPv2).
  
An LDAP search filter is constructed in Polish notation,  
+
 
 +
An LDAP search filter is constructed in Polish notation,  
 
also known as [[http://en.wikipedia.org/wiki/Polish_notation prefix notation]].
 
also known as [[http://en.wikipedia.org/wiki/Polish_notation prefix notation]].
 +
  
 
This means that a pseudo code condition on a search filter like this:
 
This means that a pseudo code condition on a search filter like this:
Line 66: Line 24:
  
 
  find("(&(cn=John)(userPassword=mypass))")
 
  find("(&(cn=John)(userPassword=mypass))")
 +
  
 
Boolean conditions and group aggregations on an  
 
Boolean conditions and group aggregations on an  
Line 92: Line 51:
 
|-
 
|-
 
|}
 
|}
 +
 +
 
More complete examples on how to build a search filter can be
 
More complete examples on how to build a search filter can be
 
found in the related RFC.
 
found in the related RFC.
 +
  
 
A successful exploitation of an LDAP injection vulnerability could allow the tester to:
 
A successful exploitation of an LDAP injection vulnerability could allow the tester to:
Line 102: Line 64:
 
* Add or modify Objects inside LDAP tree structure.
 
* Add or modify Objects inside LDAP tree structure.
  
== Black Box testing and example ==
 
  
 +
== How to Test ==
  
=== Example 1. Search Filters ===
+
 
 +
=== Example 1: Search Filters ===
  
 
Let's suppose we have a web application using a search
 
Let's suppose we have a web application using a search
Line 126: Line 89:
  
 
which matches every object with a 'cn' attribute equals to anything.
 
which matches every object with a 'cn' attribute equals to anything.
 +
  
 
If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.
 
If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.
 +
  
 
A tester could use a trial-and-error approach, by inserting in the parameter
 
A tester could use a trial-and-error approach, by inserting in the parameter
Line 133: Line 98:
 
the application for errors.
 
the application for errors.
  
=== Example 2. Login ===
+
 
 +
=== Example 2: Login ===
  
 
If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL
 
If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL
 
and XPATH injection ).
 
and XPATH injection ).
 +
  
 
Let's suppose a web application uses a filter to match LDAP user/password pair.
 
Let's suppose a web application uses a filter to match LDAP user/password pair.
  
 
searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";
 
searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";
 +
  
 
By using the following values:
 
By using the following values:
Line 151: Line 119:
 
  searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";
 
  searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";
  
which is correct and always true.  
+
which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.
This way, the tester will gain logged-in status as the first user in LDAP tree.
+
 
 +
 
 +
==Tools==
 +
Softerra LDAP Browser - http://www.ldapadministrator.com/
  
 
== References ==
 
== References ==
 +
'''OWASP References'''<br>
 +
[[LDAP Injection Prevention Cheat Sheet]]
 +
 
'''Whitepapers'''<br>
 
'''Whitepapers'''<br>
Sacha Faust: "LDAP Injection" - http://www.spidynamics.com/whitepapers/LDAPinjection.pdf<br>
+
Sacha Faust: "LDAP Injection: Are Your Applications Vulnerable?" - http://www.networkdls.com/articles/ldapinjection.pdf<br>
 
Bruce Greenblatt: "LDAP Overview" - http://www.directory-applications.com/ldap3_files/frame.htm<br>
 
Bruce Greenblatt: "LDAP Overview" - http://www.directory-applications.com/ldap3_files/frame.htm<br>
 
IBM paper: "Understanding LDAP" - http://www.redbooks.ibm.com/redbooks/SG244986.html <br>
 
IBM paper: "Understanding LDAP" - http://www.redbooks.ibm.com/redbooks/SG244986.html <br>
<br>
+
RFC 1960: "A String Representation of LDAP Search Filters" - http://www.ietf.org/rfc/rfc1960.txt<br>
'''Tools'''<br>
+
"LDAP injection" - http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf<br>
Softerra LDAP Browser - http://www.ldapadministrator.com/download/index.php <br>
 
 
 
[[Category:FIXME|link not working
 
 
 
 
 
<nowiki>RFC 1960</nowiki>: "A String Representation of LDAP Search Filters" - http://www.ietf.org/rfc/rfc1960.txt<br>
 
 
 
 
 
]]
 

Latest revision as of 22:31, 7 February 2017

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Summary

The Lightweight Directory Access Protocol (LDAP) is used to store information about users, hosts, and many other objects. LDAP injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.


A web application could use LDAP in order to let users authenticate or search other users' information inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.

[Rfc2254] defines a grammar on how to build a search filter on LDAPv3 and extends [Rfc1960] (LDAPv2).


An LDAP search filter is constructed in Polish notation, also known as [prefix notation].


This means that a pseudo code condition on a search filter like this:

find("cn=John & userPassword=mypass")

will be represented as:

find("(&(cn=John)(userPassword=mypass))")


Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters:

Metachar Meaning
& Boolean AND
| Boolean OR
 ! Boolean NOT
= Equals
~= Approx
>= Greater than
<= Less than
* Any character
() Grouping parenthesis


More complete examples on how to build a search filter can be found in the related RFC.


A successful exploitation of an LDAP injection vulnerability could allow the tester to:

  • Access unauthorized content
  • Evade application restrictions
  • Gather unauthorized informations
  • Add or modify Objects inside LDAP tree structure.


How to Test

Example 1: Search Filters

Let's suppose we have a web application using a search filter like the following one:

searchfilter="(cn="+user+")"

which is instantiated by an HTTP request like this:

http://www.example.com/ldapsearch?user=John

If the value 'John' is replaced with a '*', by sending the request:

http://www.example.com/ldapsearch?user=*

the filter will look like:

searchfilter="(cn=*)"

which matches every object with a 'cn' attribute equals to anything.


If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.


A tester could use a trial-and-error approach, by inserting in the parameter '(', '|', '&', '*' and the other characters, in order to check the application for errors.


Example 2: Login

If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL and XPATH injection ).


Let's suppose a web application uses a filter to match LDAP user/password pair.

searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";


By using the following values:

user=*)(uid=*))(|(uid=*
 pass=password

the search filter will results in:

searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";

which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.


Tools

Softerra LDAP Browser - http://www.ldapadministrator.com/

References

OWASP References
LDAP Injection Prevention Cheat Sheet

Whitepapers
Sacha Faust: "LDAP Injection: Are Your Applications Vulnerable?" - http://www.networkdls.com/articles/ldapinjection.pdf
Bruce Greenblatt: "LDAP Overview" - http://www.directory-applications.com/ldap3_files/frame.htm
IBM paper: "Understanding LDAP" - http://www.redbooks.ibm.com/redbooks/SG244986.html
RFC 1960: "A String Representation of LDAP Search Filters" - http://www.ietf.org/rfc/rfc1960.txt
"LDAP injection" - http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf