This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for LDAP Injection (OTG-INPVAL-006)"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/bireba/avguard-antivirus.html norton antivirus download rebate
 
] [http://s1.shard.jp/bireba/unistalling-norton.html clamshell antivirus
 
] [http://s1.shard.jp/losaul/australian-momentum.html australian momentum] [http://s1.shard.jp/olharder/44-auto-trader-nz.html automatic coffee drip maker
 
] [http://s1.shard.jp/olharder/auto-recreational.html autopia car care forum
 
] [http://s1.shard.jp/olharder/auto-classifieds.html three wheeled automobiles
 
] [http://s1.shard.jp/galeach/new42.html asian leopard cat breeder
 
] [http://s1.shard.jp/bireba/ca-etrust-antivirus.html whats the best antivirus
 
] [http://s1.shard.jp/frhorton/lywbi2iaz.html pics of african animals
 
] [http://s1.shard.jp/galeach/new147.html asian dating female male white] [http://s1.shard.jp/losaul/how-to-train.html how to train australian shepards to herd] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/bireba/download-free.html quickheal antivirus download
 
] [http://s1.shard.jp/olharder/tactical-automated.html tactical automated security system tass] [http://s1.shard.jp/bireba/nod-antivirus.html antivirus checkup
 
] [http://s1.shard.jp/frhorton/3o7l9jema.html poorest african country
 
] [http://s1.shard.jp/losaul/australia-bus.html australian money picture
 
] [http://s1.shard.jp/bireba/avg-antivirus.html grissoft antivirus
 
] [http://s1.shard.jp/galeach/new114.html gold buyers in asia
 
] [http://s1.shard.jp/galeach/new79.html as asia explode in service set software] [http://s1.shard.jp/bireba/antivirus-online.html norton antivirus programs
 
] [http://s1.shard.jp/olharder/auto-bap.html auto indiana publication rv
 
] [http://s1.shard.jp/bireba/antivirus-firewall.html symantec antivirus corporate edition update
 
] [http://s1.shard.jp/losaul/planting-guide.html planting guide australia] [http://s1.shard.jp/olharder/auto-ventashade.html c g automation
 
] [http://s1.shard.jp/frhorton/w2yqtuc7f.html africa center for strategic study
 
] [http://s1.shard.jp/galeach/new158.html asian boy can find handsome i page where
 
] [http://s1.shard.jp/galeach/new198.html asian teen pee
 
] [http://s1.shard.jp/bireba/ez-antivirus.html ez antivirus free microsoft] [http://s1.shard.jp/galeach/new59.html asian male models portfolio
 
] [http://s1.shard.jp/galeach/new55.html what strait separates north america and asia
 
] [http://s1.shard.jp/bireba/norton-antivirus.html avg+antivirus+free
 
] [http://s1.shard.jp/galeach/new180.html wild asian girl
 
] [http://s1.shard.jp/frhorton/4klamxahb.html incredible connections in south africa
 
] [http://s1.shard.jp/bireba/computer-antivirus.html rating antivirus software
 
] [http://s1.shard.jp/bireba/norton-antivirus.html ca antivirus software
 
] [http://s1.shard.jp/frhorton/y9my6dqry.html abcs of african american history
 
] [http://s1.shard.jp/losaul/import-vehicles.html mens underwear australia
 
] [http://s1.shard.jp/losaul/australian-journal.html power house museum australia
 
] [http://s1.shard.jp/losaul/lucas-heights-australia.html australian wine closure test
 
] [http://s1.shard.jp/bireba/avg-antivirus.html panda antivirus free download
 
] [http://s1.shard.jp/losaul/email-directory.html news sites australia
 
] [http://s1.shard.jp/olharder/antique-autos-for.html sales tax on automobiles in texas
 
] [http://s1.shard.jp/bireba/avg-antivirus-73.html uninstall norton antivirus corporate edition
 
] [http://s1.shard.jp/galeach/new20.html asian journalist
 
] [http://s1.shard.jp/galeach/new122.html asian option smile
 
] [http://s1.shard.jp/frhorton/1jv14ya7f.html rhodesian ridgebacks breeders south africa
 
] [http://s1.shard.jp/galeach/new130.html white girl asian dating
 
] [http://s1.shard.jp/olharder/pioneer-auto-part.html comprehensive auto insurance claims pennsylvania
 
 
 
{{Template:OWASP Testing Guide v3}}
 
{{Template:OWASP Testing Guide v3}}
  

Revision as of 18:00, 29 May 2009

OWASP Testing Guide v3 Table of Contents

This article is part of the OWASP Testing Guide v3. The entire OWASP Testing Guide v3 can be downloaded here.

OWASP at the moment is working at the OWASP Testing Guide v4: you can browse the Guide here

Brief Summary

LDAP is an acronym for Lightweight Directory Access Protocol. LDAP is a protocol to store information about users, hosts, and many other objects. LDAP injection is a server side attack, which could allow sensitive information about users and hosts represented in an LDAP structure to be disclosed, modified, or inserted.
This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.

Description of the Issue

A web application could use LDAP in order to let users authenticate or search other users' information inside a corporate structure.

The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.

[Rfc2254] defines a grammar on how to build a search filter on LDAPv3 and extends [Rfc1960] (LDAPv2).

An LDAP search filter is constructed in Polish notation, also known as [prefix notation].

This means that a pseudo code condition on a search filter like this:

find("cn=John & userPassword=mypass")

will be represented as:

find("(&(cn=John)(userPassword=mypass))")

Boolean conditions and group aggregations on an LDAP search filter could be applied by using the following metacharacters:

Metachar Meaning
& Boolean AND
| Boolean OR
 ! Boolean NOT
= Equals
~= Approx
>= Greater than
<= Less than
* Any character
() Grouping parenthesis

More complete examples on how to build a search filter can be found in the related RFC.

A successful exploitation of an LDAP injection vulnerability could allow the tester to:

  • Access unauthorized content
  • Evade application restrictions
  • Gather unauthorized informations
  • Add or modify Objects inside LDAP tree structure.

Black Box testing and example

Example 1. Search Filters

Let's suppose we have a web application using a search filter like the following one:

searchfilter="(cn="+user+")"

which is instantiated by an HTTP request like this:

http://www.example.com/ldapsearch?user=John

If the value 'John' is replaced with a '*', by sending the request:

http://www.example.com/ldapsearch?user=*

the filter will look like:

searchfilter="(cn=*)"

which matches every object with a 'cn' attribute equals to anything.

If the application is vulnerable to LDAP injection, it will display some or all of the users' attributes, depending on the application's execution flow and the permissions of the LDAP connected user.

A tester could use a trial-and-error approach, by inserting in the parameter '(', '|', '&', '*' and the other characters, in order to check the application for errors.

Example 2. Login

If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL and XPATH injection ).

Let's suppose a web application uses a filter to match LDAP user/password pair.

searchlogin= "(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";

By using the following values:

user=*)(uid=*))(|(uid=*
 pass=password

the search filter will results in:

searchlogin="(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))";

which is correct and always true. This way, the tester will gain logged-in status as the first user in LDAP tree.

References

Whitepapers
Sacha Faust: "LDAP Injection" - http://www.spidynamics.com/whitepapers/LDAPinjection.pdf
Bruce Greenblatt: "LDAP Overview" - http://www.directory-applications.com/ldap3_files/frame.htm
IBM paper: "Understanding LDAP" - http://www.redbooks.ibm.com/redbooks/SG244986.html

Tools
Softerra LDAP Browser - http://www.ldapadministrator.com/download/index.php