Developping for the translation industry RSS 2.0



 Monday, 23 November 2009

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

The key to exploiting injection techniques with LDAP is to manipulate the filters used to search in the directory services. Using these techniques, an attacker may obtain direct access to the database underlying an LDAP tree, and thereby to important corporate information. This can be even more critical because the security of many applications and services relies on single sign-on environments based on LDAP directories.

Example

In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.

 <input type="text" size=20 name="userName">Insert the username</input> 

The LDAP query is narrowed down for performance and the underlying code for this function might be the following:

 String ldapSearchQuery = "(cn=" + userName + ")";
 System.out.println(ldapSearchQuery); 

If the variable userName is not validated, it could be possible accomplish LDAP injection, as follows:

  • If a user puts “*” on box search, the system may return all the usernames on the LDAP base
  • If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )

How to protect against these attacks?

INPUT VALIDATION. This will never be said enough: input validation is the best way to protect against most injection-type attacks. Whitelist validation is always your best bet. The idea is that you should check that the data is one of a set of tightly constrained known good values. For example, for the username field above, the input should accept only alphanumeric characters.

 

Other posts:

The T-SQL LoginProperty function in SQL Server 2005

BusinessWeek hit by SQL Injection attack

How to: Use Active Directory to authenticate users

How to set NTFS permissions using C# 2005

Monday, 23 November 2009 15:31:41 (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
Security
Comments are closed.

Navigation
Advertisement
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2017
Stanislas Biron
Sign In
Statistics
Total Posts: 135
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2017, Stanislas Biron