[go: up one dir, main page]
Scribd
Upload
203 views18 pages

Ldap Injection

The document discusses LDAP injection attacks against web applications. LDAP is a protocol for querying and modifying directory services running over TCP/IP. LDAP injection occurs when user-supplied input is not sanitized before being used to construct LDAP queries. This allows attackers to inject malicious code by manipulating query parameters and operators. The document covers different types of LDAP injection like AND, OR, and blind injection and provides examples. It recommends input validation and filtering special characters at the application layer to prevent LDAP injection attacks.

Uploaded by

Paul Alexandru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
203 views18 pages

Ldap Injection

The document discusses LDAP injection attacks against web applications. LDAP is a protocol for querying and modifying directory services running over TCP/IP. LDAP injection occurs when user-supplied input is not sanitized before being used to construct LDAP queries. This allows attackers to inject malicious code by manipulating query parameters and operators. The document covers different types of LDAP injection like AND, OR, and blind injection and provides examples. It recommends input validation and filtering special characters at the application layer to prevent LDAP injection attacks.

Uploaded by

Paul Alexandru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

LDAP INJECTION

(LIGHTWEIGHT DIRECTORY
ACCESS PROTOCOL)

Cretu Paul Alexandru


CUPRINS
 Introduction
 Description
 Common LDAP environments
 LDAP Injection in Web Applications
 Testing LDAP
 AND LDAP Injection
 OR LDAP Injection
 Blind LDAP Injection
 Examples
 Securing Applications against
Blind LDAP Injection & LDAP Injection attacks
INTRODUCTION
 The Lightweight Directory Access Protocol is a
protocol for querying and modifying directory
services running over TCP/IP. The most widely
used implementations of LDAP services are
Microsoft ADAM (Active Directory Application
Mode) and OpenLDAP.
DESCRIPTION
 The information is structured based on a tree of directory
entries and the server provides powerful browsing and
search capabilities
 LDAP is object-oriented
 LDAP is also based on the client/server model
 Used filters: logical (AND “&”, OR “|” and NOT “!”) and
relational (=,>=,<=,~=)
COMMON LDAP ENVIRONMENTS
 These applications and services used to require different
directories (with separate authentication) to work. For
example, a directory was required for the domain, a
separate directory for mailboxes and distribution lists, and
more directories for remote access, databases or web
applications.
LDAP INJECTION IN WEB APPLICATIONS
 LDAP injection attacks are based on similar techniques to
SQL injection attacks. Therefore, the underlying concept is
to take advantage of the parameters introduced by the user
to generate the LDAP query. A secure Web application
should sanitize the parameters introduced by the user
before constructing and sending the query to the server. In
a vulnerable environment these parameters are not
properly filtered and the attacker can inject malicious code.
TESTING LDAP
 The typical test to know if an application is vulnerable to
code injection consists of sending to the server a query that
generates an invalid input. Therefore, if the server returns
an error message, it is clear for the attacker that the server
has executed his query and that he can exploit the code
injection techniques. Two kinds of environments can be
distinguished: AND injection environments and OR
injection environments.
AND LDAP INJECTION
(&(parameter1=value1)(parameter2=value2))

(& (USER=slisberger)(&))(PASSWORD=Pwd))
OR LDAP INJECTION
(|(parameter1=value1)(parameter2=value2))

(|(type=printer )(type=scanner))
 If the attacker enters Rsc1=printer)(uid=*), the
following query is sent to the server:
(|(type=printer)(uid=*))(type=scanner)) The
LDAP server responds with all the printer and
user objects.
BLIND LDAP INJECTION
 Suppose that an attacker can infer from the server
responses, although the application does not show error
messages, the code injected in the LDAP filter generates a
valid response (true result) or an error (false result). The
attacker could use this behavior to ask the server true or
false questions. These types of attacks are named “Blind
Attacks”. Blind LDAP Injection attacks are slower than
classic ones but they can be easily implemented, since they
are based on binary logic, and they let the attacker extract
information from the LDAP Directory.
EXAMPLES
 (& (objectClass=printer)(type=Epson*))

 (&(objectClass=*)(objectClass=*))(&(objectClass=void)(type
=Epson*))

 (|(objectClass=void)(objectClass=void))(&(objectClass=void)
(type=Epson*))
SECURING APPLICATIONS AGAINST
BLIND LDAP INJECTION & LDAP INJECTION ATTACKS

 Mechanisms used to prevent code injection techniques


include defensive programming, sophisticated input
validation, dynamic checks and static source code analysis.
The work on mitigating LDAP injections must involve
similar techniques.
SECURING APPLICATIONS AGAINST
BLIND LDAP INJECTION & LDAP INJECTION ATTACKS

 In conclusion, we see that parentheses, asterisks,


logical (AND “&”, OR “|” and NOT “!”) and
relational (=,>=,<=,~=) operators must be filtered
at the application layer.
SECURING APPLICATIONS AGAINST
BLIND LDAP INJECTION & LDAP INJECTION ATTACKS

 Whenever possible, values used to construct the


LDAP search filter must be checked against a list
of valid values in the Application Layer before
sending the query to the LDAP server.
REFERENCES
 http://www.blackhat.com/presentations/bh-
europe-08/Alonso-Parada/Whitepaper/bh-eu-08-
alonso-parada-WP.pdf

You might also like