Injection Attacks: The Complete 2020 Guide

LDAP Injections - Overview

What is LDAP

Lightweight Directory Access Protocol

Open and vendor-neutral industry-standard protocol for directory services authentication

What is LDAP

Simply put: you can use it to authenticate and authorize access to resources within your organization

Directory Service
(ie: Active Directory)

LDAP

Apps requiring credentials

User account info, passwords

Directory Service
(ie: Active Directory)

LDAP

Apps requiring credentials

LDAP Commands


(&(objectClass=user)(sAMAccountName=UserName)
(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))

LDAP Commands


LDAP Command

LDAP Commands


https://example.com/searchusers?user=Christophe

LDAP Commands


https://example.com/searchusers?user=Christophe



searchfilter="(cn="+user+")"



searchfilter="(cn=Christophe)"

LDAP Commands


https://example.com/searchusers?user=*



searchfilter="(cn=*)"

Causing LDAP errors

We can use these kinds of characters to try and cause errors or changes in behavior:

^

#

$

(

|

&

*

Logical Operators

Let's say we have a login form:


(&(USER=Username)(PASSWORD=password))



christophe)(&))



(& (USER=christophe)(&))(PASSWORD=whatever-you-want-here))

Blind LDAP Injections

Sometimes we have to rely on Blind Injection techniques because we're simply not getting any helpful responses.

By using the AND (&) as well as OR (|), we can try to change outputs returned.

Helpful resources

Free whitepapers:

LDAP Injections Overview

By Christophe Limpalair

Made with Slides.com

LDAP Injections Overview

  • 499

More from Christophe Limpalair