Analysis: Detecting LDAP injections

By

Centralised location for authentication is good, but there's problems in implementation.

Analysis: Detecting LDAP injections

It all started to go wrong when web applications started to replace internal desktop applications.

One manager in one of the many companies around the globe proposed: "We should authenticate access to this application using our Active Directory!" and after some minutes, a developer wrote a piece of code that looked like:

 

String ldap_search_query = "(&(user=" + username + ")(password=" + pwd + "))";   

LDAPCursor ldap_result_cursor = ldapQuery( ldap_search_query );

The idea of having a centralised location for authenticating users is actually very good; but as usual the problem lies within the implementation.

For LDAP injections - which are very similar in nature to SQL injections - the issue is that the developer is creating an LDAP query by concatenating user controlled variables like "username" and "pwd" with fixed strings like "(&(user=".

This results in the user being able to partially control the LDAP query that's being executed on the backend server, thus controlling the result, and finally (in some cases) the application's execution flow.

Let's see what happens when a regular user logs in to the web application:

  • User browses to http://web-app/login.aspx
  • User enters his credentials, username:andres / password:foobar
  • The web application concatenates the input variables with the fixed strings and sends (&(user=andres)(password=foobar)) to the LDAP server
  • LDAP server will return the expected info and execution continues as the developer intended

But intruders may try the following:

  • Intruder browses to http://web-app/login.aspx
  • Intruder wants to impersonate "andres", so they enters the following information, username:andres)(&) / password: notimportant
  • The web application concatenates the input variables with the fixed strings and sends (&(user=andres)(&))(password=notimportant))
  • The LDAP server is now going to execute a completely different query, which will allow the intruder to bypass the login and impersonate the user

A couple of important notes to keep in mind are that this type of vulnerability can affect any web application, disregarding which language it was written in and which LDAP backend it uses.

The following is an example of what's shown in the Rapid7 NeXpose web user interface when an LDAP injection is found, including the vulnerable script and parameter:

 

This blog originally appeared at Rapid7.

 

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
analysisdata breachsecurity

Sponsored Whitepapers

Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt

Events

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack
Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"
Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
International Criminal Court hit by cyber attack

International Criminal Court hit by cyber attack
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?