AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

LDAP Resource Injection

The attacker can inject unauthorized partial LDAP connection strings and manipulate LDAP queries that lead to stealing information or denial of service attacks

Severity

Medium

Fix Cost

Low

Trust Level

High

LDAP (Lightweight Directory Access Protocol) is a directory service protocol providing a mechanism to search and manipulate Internet directories. It’s common usage is to provide central storage for corporate users, assets information, such as usernames, passwords and etc.

For example, especially in intranet portals, it’s common to provide interfaces to users to enable them searching their colleagues data by providing certain search keywords, such as email addresses or names.

Let the backend code is similar to the following snippet;

                            
try
{
DirectoryEntry entry = new DirectoryEntry("LDAP://myintra.corp:389/" + input.Text+ "/");
entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
DirectorySearcher searcher = new DirectorySearcher(entry, filter);
…

                 
            

Since the LDAP URL is formed using an untrusted input, malicious users may manipulate the connection string and create both denial of service or privilege of escalation issues.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial LDAP connection string in the program, result in LDAP resource injection. The attacker can potentially manipulate the LDAP connection string or filter and access the information that he can’t access otherwise.

LDAP (Lightweight Directory Access Protocol) is a directory service protocol providing a mechanism to search and manipulate Internet directories. It’s common usage is to provide central storage for corporate users, assets information, such as usernames, passwords and etc.

For example, especially in intranet portals, it’s common to provide interfaces to users to enable them searching their colleagues data by providing certain search keywords, such as email addresses or names.

Let the backend code is similar to the following snippet;

            
String searchBase = "ou=people," + request.getParameter("company") + ",dc=com";
DirContext ctx = new InitialDirContext(env);
NamingEnumeration<SearchResult> answer = ctx.search(searchBase, searchFilter, searchCtls);
...
                
            

Since the LDAP URL is formed using an untrusted input, malicious users may manipulate the connection string and create both denial of service or privilege of escalation issues.

Every injection attack occurs because of mixing code and untrusted data in the code. As developers, we are rarely provided secure APIs in order to keep these two information (code and data) apart, until the runtime. In the above code, mixing the data, as name coming from the user, and code, as the partial LDAP connection string in the program, result in LDAP resource injection. The attacker can potentially manipulate the LDAP connection string or filter and access the information that he can’t access otherwise.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!