Penetration testing for LDAP Injection Vulnerability

Penetration testing of LDAP  Vulnerability : LDAP (Lightweight Directory Access Protocol) is used to store information about users, hosts, and other sensitive information. LDAP injection is basically a server side attack, which could result into leakage of sensitive information about users and hosts represented in an LDAP structure. This is done by manipulating input parameters afterwards passed to internal search, add, and modify functions.
A web application could use LDAP in order to let users authenticate or search other users’ information inside a corporate structure. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.
Penetration testing for LDAP Injection Vulnerability
If you want to turn your Google Chrome browser into a  machines then below is must read :
A successful exploitation of an LDAP injection vulnerability could allow hacker to:
  • Access unauthorized content
  • Evade application restrictions
  • Gather unauthorized informations
  • Add or modify Objects inside LDAP tree structure.

How to do Penetration testing of LDAP Injection Vulnerability :

LDAP Injection  usually occurs in search filters or Login Procedures. We will learn it with help of examples.

LDAP Search Filters Vulnerability Penetration Testing

Let’s suppose we have a web application using a search filter like the following one:
searchfilter=”(cn=”+user+”)”
which is instantiated by an HTTP request like this:
http://www.example.com/ldapsearch?user=John
If the value ‘John’ is replaced with a ‘*’, by sending the request:
http://www.example.com/ldapsearch?user=*
the filter will look like:
searchfilter=”(cn=*)”
which matches every object with a ‘cn’ attribute equals to anything.
If the application is vulnerable to LDAP injection, it will display some or all of the users’ attributes, depending on the application’s execution flow and the permissions of the LDAP connected user.
 could use a trial-and-error approach, by inserting in the parameter ‘(‘, ‘|’, ‘&’, ‘*’ and the other characters, in order to check the application for errors.

Penetration testing for Login Procedures for LDAP Injection

If a web application uses LDAP to check user credentials during the login process and it is vulnerable to LDAP injection, it is possible to bypass the authentication check by injecting an always true LDAP query (in a similar way to SQL and XPATH injection ).
Let’s suppose a web application uses a filter to match LDAP user/password pair.
searchlogin= “(&(uid=”+user+”)(userPassword={MD5}”+base64(pack(“H*”,md5(pass)))+”))”;
By using the following values:
user=*)(uid=*))(|(uid=*
pass=password
the search filter will results in:
searchlogin=”(&(uid=*)(uid=*))(|(uid=*)(userPassword={MD5}X03MO1qnZdYdgyfeuILPmQ==))”;
which is correct and always true. This way, the hacker or Penetration tester will gain logged-in status as the first user in LDAP tree.
That’s all for today guys. If you have any queries feel free to ask. Keep Learning !! Keep Connected!!