This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "LDAP injection"
From OWASP
m (→Related Threats) |
|||
| Line 2: | Line 2: | ||
==Description== | ==Description== | ||
| − | |||
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. | LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. | ||
The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. | The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection. | ||
| + | ==Severity== | ||
| + | Medium to High | ||
| + | ==Likelihood of exploitation== | ||
| + | Very High | ||
==Examples == | ==Examples == | ||
===Example 1=== | ===Example 1=== | ||
| − | |||
| − | |||
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database. | In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database. | ||
<input type="text" size=20 name="userName">Insert the username</input> | <input type="text" size=20 name="userName">Insert the username</input> | ||
| − | |||
The LDAP query is narrowed down for performance and the underlying code for this function might be the following: | The LDAP query is narrowed down for performance and the underlying code for this function might be the following: | ||
String ldapSearchQuery = "(cn=" + $userName + ")"; | String ldapSearchQuery = "(cn=" + $userName + ")"; | ||
System.out.println(ldapSearchQuery); | System.out.println(ldapSearchQuery); | ||
| − | |||
Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows: | Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows: | ||
| Line 27: | Line 26: | ||
*If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password | *If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password | ||
( cn = jonys ) ( | (password = * ) ) | ( cn = jonys ) ( | (password = * ) ) | ||
| − | |||
===Example 2=== | ===Example 2=== | ||
| − | |||
The following vulnerable code is used in an ASP web application which provides login with LDAP data base. | The following vulnerable code is used in an ASP web application which provides login with LDAP data base. | ||
On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed. | On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed. | ||
| − | |||
Commented vulnerable asp code: | Commented vulnerable asp code: | ||
| Line 83: | Line 79: | ||
45. </html> </nowiki> | 45. </html> </nowiki> | ||
| − | |||
| − | |||
In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username. | In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username. | ||
| − | |||
<nowiki> http://www.some-site.org/index.asp?user=* </nowiki> | <nowiki> http://www.some-site.org/index.asp?user=* </nowiki> | ||
| − | |||
| − | |||
==References== | ==References== | ||
| − | |||
*http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960) | *http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960) | ||
*http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP | *http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP | ||
*http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml | *http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml | ||
| − | |||
==Related Threats== | ==Related Threats== | ||
| − | |||
[[:Category:Information Disclosure]] | [[:Category:Information Disclosure]] | ||
| Line 110: | Line 98: | ||
*[[Resource Injection]] | *[[Resource Injection]] | ||
*[[Path Manipulation]] | *[[Path Manipulation]] | ||
| − | |||
| − | |||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
| − | |||
[[:Category:Input Validation Vulnerability]] | [[:Category:Input Validation Vulnerability]] | ||
| − | |||
| − | |||
==Related Countermeasures== | ==Related Countermeasures== | ||
| − | |||
[[:Category:Input Validation]] | [[:Category:Input Validation]] | ||
| − | |||
;Some other ways of to prevent of this attack: | ;Some other ways of to prevent of this attack: | ||
| Line 135: | Line 116: | ||
string trustedCountry = Request.Querystring(“country”) in {“BR”,“VE”,“CL”,“CO”,“UY”,“PE”,“PY”} | string trustedCountry = Request.Querystring(“country”) in {“BR”,“VE”,“CL”,“CO”,“UY”,“PE”,“PY”} | ||
| − | + | [[Category:Injection]] | |
| − | + | [[Category:Attack]] | |
| − | |||
| − | [[ | ||
Revision as of 16:53, 5 November 2007
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary command such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
Severity
Medium to High
Likelihood of exploitation
Very High
Examples
Example 1
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.
<input type="text" size=20 name="userName">Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery);
Case the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
*If a user puts “*” on box search, the system may return all the usernames on the LDAP base *If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )
Example 2
The following vulnerable code is used in an ASP web application which provides login with LDAP data base. On line 11, the variable userName is initialized and validated to check if it’s not in blank. Then, the content of this variable is used to construct a LDAP query used by SearchFilter on line 28. The attacker has the chance specify what will be queried on LDAP server, and see the result on the line 33 to 41, are all results and their attributes are displayed.
Commented vulnerable asp code:
1. <html>
2. <body>
3. <%@ Language=VBScript %>
4. <%
5. Dim userName
6. Dim filter
7. Dim ldapObj
8.
9. Const LDAP_SERVER = "ldap.example"
10.
11. userName = Request.QueryString("user")
12.
13. if( userName = "" ) then
14. Response.Write("Invalid request. Please specify a valid
15. user name")
16. Response.End()
17. end if
18.
19. filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
20.
21. 'Creating the LDAP object and setting the base dn
22. Set ldapObj = Server.CreateObject("IPWorksASP.LDAP")
23. ldapObj.ServerName = LDAP_SERVER
24. ldapObj.DN = "ou=people,dc=spilab,dc=com"
25.
26. 'Setting the search filter
27. ldapObj.SearchFilter = filter
28.
29. ldapObj.Search
30.
31. 'Showing the user information
32. While ldapObj.NextResult = 1
33. Response.Write("<p>")
34.
35. Response.Write("<b><u>User information for: " +
36. ldapObj.AttrValue(0) + "</u></b><br>")
37. For i = 0 To ldapObj.AttrCount -1
38. Response.Write("<b>" + ldapObj.AttrType(i) +"</b>: " +
39. ldapObj.AttrValue(i) + "<br>" )
40. Next
41. Response.Write("</p>")
42. Wend
43. %>
44. </body>
45. </html>
In the example above, we send the * character in the user parameter which will result in the filter variable in the code to be initialized with (uid=*). The resulting LDAP statement will make the server return any object that contains a uid attribute like username.
http://www.some-site.org/index.asp?user=*
References
- http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)
- http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP
- http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml
Related Threats
Category:Information Disclosure
Related Attacks
- Interpreter Injection
- SQL Injection
- Command Injection
- Relative Path Traversal
- Resource Injection
- Path Manipulation
Related Vulnerabilities
Category:Input Validation Vulnerability
Related Countermeasures
- Some other ways of to prevent of this attack
- Validating for the type:
int trustedUserName = Convert.ToInt32( Request.Querysrting(“username”)
- Pattern validating
string email = Regex.IsMatch( Request.Querystring( “email” ) ,” ^.+@[^\.].*\.[a-z]{2,}$ ” ).
- Domain values validation:
string trustedCountry = Request.Querystring(“country”) in {“BR”,“VE”,“CL”,“CO”,“UY”,“PE”,“PY”}
