Monday, April 25, 2011

LDAP Injection

Generally, LDAP injection attacks allow users within a corporation to gain private
information. This attack is usually not possible via the Internet.
Lightweight Directory Access Protocol (LDAP) is a protocol for managing and storing
network resources and network users. This includes authorizing users to access
computers and other resources. Some web applications use “unsanitized” user input to
perform LDAP queries.
Consider a web application that takes a username as input and performs an LDAP
query to display the user’s common name (cn) and phone number. For example, this
request
http://intranet/ldap_query?user=rgc
returns this:
cn: Richard Cannings
telephoneNumber: 403-555-1212
The LDAP statement to perform this query is simply this:
filter = (uid=rgc)
attributes = cn, telephoneNumber
However, you can construct more elaborate filters by using Boolean operations such as
OR (|) and AND (&) with various attributes such as cn, dn, sn, objectClass,
telephoneNumber, manager, and so on. LDAP queries use Polish notation (also known as
prefix notation), where the operators appear to the left of the operands. Furthermore,
LDAP accepts the wildcard symbol (*). A more elaborate LDAP query could be something
like this:
filter = (&(objectClass=person)(cn=Rich*)(|(telephoneNumber=403*)(
telephoneNumber=415*)))
This query finds people whose common name starts with Rich and phone number in
either the 403 or 415 area code.
To inject arbitrary LDAP queries into a vulnerable web application, you must
construct a different, yet valid, LDAP query. If this HTTP request,
http://intranet/ldap_query?user=rgc

created this filter,
(uid=rgc)
then you must create a valid LDAP filter that begins with (uid= and ends with). For
example, to perform a reverse phone number lookup (that is, find the name of a person
associated with a phone number), you could make this request:
http://intranet/ldap_query?user=*)(|(telephoneNumber=415-555-1212)
This creates the query
(uid=*)(|(telephoneNumber=415-555-1212))
Another interesting query is to find all the possible objectClasses. This can be
performed like so:
http://intranet/ldap_query?user=*)(|(objectClass=*)
This creates the query
(uid=*)(|(objectClass=*))

Preventing LDAP Injection :

Protecting against LDAP injection is as simple as whitelisting characters—that is, allow
alphanumeric characters (a–z, A–Z, and 0–9) and deny all other characters.
Posted by ibrahim debeche at 5:28 AM