For Newbies: Simple Examples of LDAP Injection Vulnerabilities
What is LDAP?
LDAP stands for “Lightweight Directory Access Protocol.” It is a way to organise and access information about users, devices, and resources in a network or an organisation. Think of it as a digital phonebook or address book for computers and other networked devices.
LDAP stores information in a structured format, much like a tree with branches. At the top is the root, and beneath it, you have branches and leaves. Each branch represents a category, like “Users,” “Groups,” or “Devices,” and each leaf contains specific information, such as a user’s name, email, or access permissions.
Unauthorised access using LDAP Injection
LDAP injection vulnerabilities are like open doors that let malicious actors sneak into a computer’s secret filing system, the LDAP server.
Let’s consider a simplified example of an LDAP injection vulnerability in a web application.
Suppose you have a web application that uses LDAP for user authentication. When a user logs in, the application creates an LDAP query to check if the provided username and password match those in the LDAP directory. The application might create a query like this:
ldap_query = “(uid=” + user_input + “)”
In this query, ‘user_input’ is the username that is entered by the user on the log-on page. The application then sends this query to the LDAP server to check if the username exists. If it does, the application proceeds to check the password.
However, there’s an LDAP injection vulnerability because the application doesn’t properly validate or sanitize the ‘user_input’.
Validating and sanitizing user input means checking and preparing the data provided by users. Validation checks if the input follows expected rules, like having the right format, while sanitization removes or neutralizes potentially harmful characters to prevent security issues.
An attacker could input malicious data like this:
user_input = “*)(uid=*))(|(password=*)”
Now, when the application creates the LDAP query, it looks like this:
ldap_query = “(uid=*)(uid=*))(|(password=*)”
In this manipulated query, the ‘*’ wildcard and ‘(|’ operator have been injected. This can lead to unintended consequences like:
- The query matches all user entries (‘(uid=*)’). [In queries, a wildcard is a special character that is used to represent one or more other characters.]
- The ‘(|’ operator acts as an OR statement. [The | symbol acts as an “OR” statement in many programming and query languages, including LDAP filters.]
- The ‘password=*’ part could potentially match any user’s password.
As a result, the attacker might bypass the password check and gain access because the LDAP query has been manipulated by injecting special characters.
A real-life example of an LDAP injection vulnerability involved an incident with the popular online dating website Ashley Madison in 2015. Ashley Madison had an LDAP injection vulnerability in its login system that led to a significant data breach.
However, an LDAP injection attack does not necessarily have to be about credential and password checking.
Reconnaissance using LDAP Injection
A malicious actor could insert crafted LDAP packets to receive a list of resources from an organisation’s directory and conduct reconnaissance.
Cyber reconnaissance is like gathering information about a computer or network before trying to do anything harmful. It’s similar to checking out a building’s layout and security systems before attempting a break-in.
An example is provided below:
A legitimate user may perform an LDAP query to retrieve their own information. For example:
(uid=johndoe)
This query would retrieve information about the user “johndoe.”
The attacker decides to inject a crafted LDAP packet. They might input something like this as their username:
*)(uid=*)(objectClass=*)
This manipulated input creates an LDAP query that looks like this:
(uid=*)(objectClass=*)
This query, when executed, searches for entries where the “uid” attribute has any value and the “objectClass” attribute also has any value. Essentially, it matches all entries in the LDAP directory.
When the LDAP server processes the query, it returns a list of all entries in the organisation’s directory, which could include usernames, email addresses, roles, and more.
Testing for LDAP Injection
If you are a beginner in penetration testing, you may test out this vulnerability on intentionally vulnerable applications on a virtual machine. Please note that you should not perform this on an actual web application without approved and legal permissions from the owner.
OWASP WebGoat is an insecure web application designed to teach web application security lessons. It includes a module on LDAP injection that you can use for testing.
Remember to set up these applications in a controlled environment like a virtual machine, isolated from your production network, to avoid unintentional security risks.
Please clap, comment or follow if you found my article thought inducing and/or informative. I really appreciate all your support.
~ Surf the cyber-space safely, warrior ~
