LDAP Injection

-



LDAP is the Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories.
The LDAP directory service is based on a client-server model. The function of LDAP is to enable access to an existing directory "Microsoft".

The major operations can be performed by LDAP :

  • Add : add new data.
  • Bind : Authenticate (Use LDAPS over port 636 not 389)
  • Delete : Delete data.
  • Search and Compare.
  • Unbind : close the connection.
LDAP injection is similar in principle to SQL injection attack, the main objectives of LDAP injection to exploit the web application vulnerabilities in order to exfiltrate login names of users as well as users' information. This step is an important step prior to privilege escalation attack.
Let us suppose that ABC company had an application called Rocky :). IT team have integrated the Rocky app with existing AD through LDAP which allowing the internal user in the company to access the application by their AD login names but the problem here is that developers didn't pay attention to the code quality or didn't sanitize username field which led to LDAP injection vulnerability.

Simple Example of LDAP injections :
  • Original Query: https://www.Rocky.ABC.com/loginsearch.aspx?name=Mubarak 
  • Injected Query: https://www.Rocky.ABC.com/loginsearch.aspx?name=*
If the Rocky application has LDAP injection vulnerability, it will display all of the users' attributes, depending on the permissions of the LDAP user.

 The Attackers mostly use a trial-and-error approach to reach the right query, and they use the below parameters in LDAP queries :
  • & = Boolean AND
  • | = Boolean OR 
  • ! = Boolean NOT
  • "=" = Equals
  • "~ =" = Approx
  • > = Greater than
  • < = Less than
  • * = Any character
  • () = Grouping parenthesis

Prevention :

You can refer to OWASP to find primary defenses against LDAP injection, Please visit the latest/updated LDAP Injection Prevention Cheat Sheet on below URL:

https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html




    Comments

    Post a Comment

    Popular posts from this blog

    How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2

    -
    Image
    How to Configure Azure MFA with Exchange Server 2013 and ADFS 2012 R2 How to Configure Azure MFA with Exchange Server Introduction : I was struggling to configure Azure MFA and Exchange without to use ADFS due to Exchange doesn't have Page to type text, the only phone call will work, eventually I decided to use ADFS due to this is only the way to have MFA (OTP) with Exchange. This is a quick guide to configure Azure MFA with Exchange & ADFS In this article I will demonstrate how you will apply MFA with Exchange server which has configured to use ADFS authentication, nowadays security of any organization is mandatory especially if they have applications have published externally. MFA comes to add the additional layer of security for these applications and will make organization a tad bit secure than the traditional static password. I believe Azure MFA has most of the capabilities of MFA that any organization might be looking for. If we will talk abou...
    Read more

    How to exclude certain users from MFA in ADFS 3.0

    -
    Image
    Although we do not recommend exclude any users from 2FA, but some organizations have their justifications for excluding certain users from MFA. In ADFS 3.0 (Win Server 2012 R2) doesn't have GUI to apply such policy and you need to amend on claims rule by power-shell, but it's available in Win server 2016 and later as GUI. Let assume that you applied MFA by adding group "domain users" in the edit authentication policy. You need to exclude specific users from MFA, create another security group then add required users, then apply the below custom rule : 1 :  Get the SID of domain users "S-1-5-21domain-513" and EX_MFA group. 2 : $MFAEX = 'exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "domain users' SID"]) && NOT exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "EX_MFA's SID"]) => issue (Type = "http://sche...
    Read more