17 Feb, 2023

LDAP Injection

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

LDAP (Lightweight Directory Access Protocol) Injection is a type of security vulnerability that occurs when an attacker injects malicious input into an LDAP query used by an application. LDAP is a protocol used to access and manage directory information, such as user accounts and authentication credentials, and is commonly used in enterprise applications.

An attacker can use LDAP injection to manipulate the LDAP query to return unauthorized or sensitive information, modify data, or gain unauthorized access to the application or system. This can be done by inserting special characters or code into input fields, such as user names or passwords, which can be interpreted as part of the LDAP query.

Example of vulnerable code on different programming languages:


in Java:

				
					String username = request.getParameter("username");
String password = request.getParameter("password");

String filter = "(&(objectClass=user)(sAMAccountName=" + username + ")(userPassword=" + password + "))";

NamingEnumeration<SearchResult> results = ctx.search("dc=example,dc=com", filter, null);

				
			


In the above Java code, the application takes user input for the username and password and directly concatenates them into an LDAP filter. An attacker could use this to inject a malicious filter, bypass authentication, or access unauthorized data.

• in Python:

				
					import ldap

username = request.form.get("username")
password = request.form.get("password")

conn = ldap.initialize('ldap://ldap.example.com')
conn.simple_bind_s("cn="+username+",dc=example,dc=com", password)

				
			


In this Python code, user input is concatenated into an LDAP bind request. An attacker could use this to inject a malicious bind request, impersonate another user, or gain unauthorized access.

• in PHP:

				
					$username = $_POST['username'];
$password = $_POST['password'];

$filter = "(&(objectClass=user)(sAMAccountName=$username)(userPassword=$password))";

$result = ldap_search($ldap, "dc=example,dc=com", $filter);

				
			


In this PHP code, user input is used to directly construct an LDAP filter. An attacker could use this to inject a malicious filter, bypass authentication, or access unauthorized data.

Examples of exploitation LDAP Injection

Unauthorized access:
An attacker could inject a specially crafted LDAP query that would bypass authentication and allow them to access sensitive information or perform unauthorized actions on the LDAP directory. For example, an attacker could modify an LDAP query to bypass authentication and retrieve the password of an administrator account.

Data leakage:
An attacker could inject a malicious LDAP query that would return sensitive information that they are not authorized to access. For example, an attacker could modify an LDAP query to retrieve personally identifiable information (PII) of all users in the directory.

Denial of Service (DoS):
An attacker could inject a malicious LDAP query that would cause the LDAP server to consume excessive resources, resulting in a denial of service. For example, an attacker could modify an LDAP query to perform a large number of searches that would consume a large amount of memory or CPU resources.

Injection of malicious code: An attacker could inject malicious code into an LDAP query that would be executed on the LDAP server. For example, an attacker could modify an LDAP query to execute a command that would create a backdoor or install malware on the LDAP server.

Privilege escalation techniques for LDAP Injection

Modify the user’s group membership:
An attacker could modify the LDAP query to add their own user account to a privileged group, such as the Domain Admins group in Active Directory. This would grant the attacker administrative access to the entire domain.

Modify the user’s privileges:
An attacker could modify the LDAP query to grant their own user account additional privileges, such as the ability to modify system settings or access sensitive data.

Impersonate another user:
An attacker could modify the LDAP query to impersonate another user account that has higher privileges, such as an administrator. This would give the attacker access to sensitive data or the ability to perform actions that are normally restricted to the impersonated user.

Modify the user’s access control permissions:
An attacker could modify the LDAP query to modify the access control permissions of the user account, allowing them to access or modify data that they are not authorized to access.

General methodology and checklist for LDAP Injection

Methodology:

  1. Identify input points: Identify all user input fields that are used in LDAP queries or LDAP-related functions in the application. This can include login forms, search forms, and user profile forms.

  2. Identify the LDAP server: Determine the LDAP server used by the application and any relevant details such as the LDAP port number, base DN, and search filters.

  3. Identify the LDAP query format: Understand the syntax and structure of LDAP queries used by the application. This can include the type of query, the query language used (e.g. LDAP filters), and any relevant parameters.

  4. Develop attack payloads: Develop a set of attack payloads that test for different types of LDAP injection vulnerabilities. These can include simple payloads that test for SQL injection, as well as more complex payloads that test for LDAP-specific syntax and functions.

  5. Execute the attack payloads: Use a testing tool or manual testing to execute the attack payloads against the input points identified in step 1. Observe the results of the attacks, including any error messages or unexpected behavior.

  6. Analyze the results: Analyze the results of the attacks to determine if any LDAP injection vulnerabilities were identified. Document any findings, including the type of vulnerability, the affected input point, and the steps to reproduce the vulnerability.

  7. Prioritize and report the findings: Prioritize the identified vulnerabilities based on their severity and likelihood of exploitation. Create a report that summarizes the findings, including any recommended remediation steps, and share the report with the relevant stakeholders.

  8. Retest and verify remediation: Retest the application to verify that the identified vulnerabilities have been remediated, and to ensure that no new vulnerabilities have been introduced.

Tools set for exploiting LDAP Injection

Manual tools:

  • ldapsearch: Command-line tool that allows users to query an LDAP server using various search filters and parameters.

  • Apache Directory Studio: Eclipse-based application for browsing and querying LDAP directories. Can be used to test for LDAP injection vulnerabilities.

  • Softerra LDAP Browser: Graphical tool for browsing and querying LDAP directories. Can be used to test for LDAP injection vulnerabilities.

  • JXplorer: Java-based LDAP browser and editor that can be used for testing LDAP injection vulnerabilities.

  • ADSI Edit: Microsoft Management Console snap-in that provides a graphical interface for editing and managing Active Directory objects. Can be used to test for LDAP injection vulnerabilities in Active Directory environments.

Automated tools:

  • Burp Suite Pro: Web application security testing tool that includes a number of features for testing LDAP injection vulnerabilities, such as a specialized LDAP injection tool.

  • sqlmap: Open source tool for testing SQL injection vulnerabilities that can also be used to test for LDAP injection vulnerabilities.

  • Metasploit: Penetration testing tool that includes a module for exploiting LDAP injection vulnerabilities.

  • Nessus: Vulnerability scanning tool that can detect LDAP injection vulnerabilities in LDAP-enabled applications and services.

  • Nmap: Network exploration and vulnerability scanning tool that can be used to identify LDAP-enabled services and applications that may be vulnerable to LDAP injection.

  • OpenVAS: Open source vulnerability scanning tool that can detect LDAP injection vulnerabilities in LDAP-enabled applications and services.

  • Wfuzz: Open source web application fuzzing tool that can be used to test for LDAP injection vulnerabilities.

  • OWASP ZAP: Open source web application security testing tool that includes a specialized LDAP injection testing module.

  • Nikto: Web server vulnerability scanning tool that can detect LDAP injection vulnerabilities in LDAP-enabled applications and services.

  • Skipfish: Web application security scanner that can be used to test for LDAP injection vulnerabilities.

  • Wapiti: Web application security testing tool that can be used to test for LDAP injection vulnerabilities.

Browser plugins:

  • LDAP Injection Detector: A browser extension for Firefox and Chrome that can detect potential LDAP injection vulnerabilities in web applications.

  • Tamper Data: A Firefox extension that allows users to modify and intercept HTTP/HTTPS requests and responses, which can be useful for testing for LDAP injection vulnerabilities.

Average CVSS score of stack LDAP Injection

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities. The CVSS score takes into account a variety of factors, such as the exploitability of the vulnerability, the potential impact on the system or application, and the level of complexity required to exploit the vulnerability.

The average CVSS score for LDAP injection vulnerabilities can vary depending on the specific vulnerability and its impact. However, in general, LDAP injection vulnerabilities can be considered serious and potentially high-severity vulnerabilities, with CVSS scores ranging from 6.0 to 10.0 or higher.

It’s important to note that the severity of an LDAP injection vulnerability can also depend on factors such as the complexity required to exploit the vulnerability, the level of access or privilege that can be gained through the exploit, and the potential impact on the affected system or application.

The Common Weakness Enumeration (CWE)

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’): This CWE is one of the most common and well-known web application vulnerabilities. It occurs when user input is not properly validated or sanitized before being used in an SQL query, allowing an attacker to manipulate the query to execute unintended actions or retrieve unauthorized data. The impact of a successful SQL injection attack can be severe, ranging from data leakage to complete system compromise.

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’): This CWE is similar to SQL injection but occurs in LDAP queries. It happens when user input is not properly validated or sanitized before being used in an LDAP query, allowing an attacker to manipulate the query to execute unintended actions or retrieve unauthorized data.

CWE-91: XML Injection (aka Blind XPath Injection): This CWE occurs when an attacker is able to inject malicious input into an XML document or XPath expression, potentially leading to unauthorized access or data leakage. This can happen if the application does not properly validate or sanitize user input before using it in an XML document or XPath expression.

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’): This CWE occurs when user input is not properly validated or sanitized before being used in a dynamic code evaluation function, allowing an attacker to inject malicious code and potentially execute arbitrary code on the server.

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’): This CWE occurs when user input is not properly validated or sanitized before being used in an HTTP header, allowing an attacker to inject additional HTTP headers or manipulate the response to execute unintended actions.

CWE-184: Incomplete Blacklist to Cross-Site Scripting: This CWE occurs when user input is not properly validated or sanitized before being displayed in a web page, allowing an attacker to inject malicious scripts that can be executed by other users visiting the page.

CWE-434: Unrestricted Upload of File with Dangerous Type: This CWE occurs when an application allows users to upload files without properly validating or sanitizing the file type and contents, potentially allowing an attacker to upload malicious files and execute arbitrary code on the server.

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’): This CWE occurs when an application allows unvalidated input to be used in a URL redirect, potentially allowing an attacker to redirect users to a malicious website.

CWE-611: Improper Restriction of XML External Entity Reference: This CWE occurs when an application parses XML input from an untrusted source without proper validation or sanitization, potentially allowing an attacker to access sensitive data on the server.

CWE-943: Improper Neutralization of Special Elements in Data Query Logic: This CWE occurs when user input is not properly validated or sanitized before being used in data query logic, allowing an attacker to manipulate the query to execute unintended actions or retrieve unauthorized data. This can occur in various contexts, including LDAP, SQL, XPath, and other types of queries.

Top 10 CVES related to LDAP Injection

CVE-2023-23749 – The ‘LDAP Integration with Active Directory and OpenLDAP – NTLM & Kerberos Login’ extension is vulnerable to LDAP Injection since is not properly sanitizing the ‘username’ POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database.

CVE-2023-0476 – A LDAP injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could generate data in Active Directory using the application account through blind LDAP injection.

CVE-2022-45910 – Improper neutralization of special elements used in an LDAP query (‘LDAP Injection’) vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) during user lookup, if the username or the domain string are passed to the UserACLs servlet without validation. This issue affects Apache ManifoldCF version 2.23 and prior versions.

CVE-2022-45046 – DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2022-29155 – In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL injection vulnerability exists in the experimental back-sql backend to slapd, via a SQL statement within an LDAP query. This can occur during an LDAP search operation when the search filter is processed, due to a lack of proper escaping.

CVE-2022-22975 – An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor’s LDAP query which determines their Kubernetes group membership.

CVE-2022-22360 – IBM Sterling Partner Engagement Manager 6.1.2, 6.2, and Cloud/SasS 22.2 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 220782.

CVE-2021-43350 – An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the POST /login endpoint of any API version to inject unsanitized content into the LDAP filter.

CVE-2021-41232 – Thunderdome is an open source agile planning poker tool in the theme of Battling for points. In affected versions there is an LDAP injection vulnerability which affects instances with LDAP authentication enabled. The provided username is not properly escaped. This issue has been patched in version 1.16.3. If users are unable to update they should disable the LDAP feature if in use.

CVE-2021-39031 – IBM WebSphere Application Server – Liberty 17.0.0.3 through 22.0.0.1 could allow a remote authenticated attacker to conduct an LDAP injection. By using a specially crafted request, an attacker could exploit this vulnerability and could result in in granting permission to unauthorized resources. IBM X-Force ID: 213875.

LDAP Injection exploits

LDAP Query Injection: This type of attack involves injecting malicious input into an LDAP query, which can lead to unauthorized access to data or system compromise.

LDAP Attribute Injection: This type of attack involves injecting malicious input into an LDAP attribute, which can lead to the modification of LDAP data or unauthorized access to sensitive information.

LDAP Injection in User Authentication: This type of attack involves injecting malicious input into the user authentication process, which can lead to the bypass of user authentication and unauthorized access to the system.

LDAP Injection in Search Filters: This type of attack involves injecting malicious input into search filters, which can lead to the bypass of access controls and unauthorized access to sensitive information.

Blind LDAP Injection: This type of attack involves injecting malicious input into an LDAP query, where the response to the query is not displayed to the user. This can make it more difficult to detect and exploit the vulnerability.

LDAP Injection in LDAP URL: This type of attack involves injecting malicious input into an LDAP URL, which can lead to unauthorized access to sensitive information or system compromise.

LDAP Injection in LDAP Search Base: This type of attack involves injecting malicious input into the LDAP search base, which can lead to unauthorized access to sensitive information or system compromise.

LDAP Injection in LDAP Attribute Names: This type of attack involves injecting malicious input into LDAP attribute names, which can lead to the modification of LDAP data or unauthorized access to sensitive information.

LDAP Injection in LDAP Object Names: This type of attack involves injecting malicious input into LDAP object names, which can lead to the modification of LDAP data or unauthorized access to sensitive information.

LDAP Injection in LDAP Group Memberships: This type of attack involves injecting malicious input into LDAP group memberships, which can lead to the modification of LDAP data or unauthorized access to sensitive information.

Practicing in test for LDAP Injection

Familiarize yourself with LDAP and the LDAP query language:
Before you can test for LDAP Injection, you need to have a basic understanding of what LDAP is, how it works, and how to write LDAP queries.

Learn about LDAP Injection vulnerabilities:
Read up on the common vulnerabilities and attack techniques associated with LDAP Injection. This will help you identify potential vulnerabilities when testing.

Set up a test environment:
You’ll need a test environment that includes an LDAP server, a web application that interacts with the LDAP server, and tools for testing and analyzing LDAP queries.

Identify potential injection points:
Analyze the web application and identify potential injection points, such as search fields, login forms, or other areas where user input is used to build LDAP queries.

Test input validation:
Attempt to inject malicious input into these input fields and test the application’s input validation. Look for error messages, unexpected results, or other indications that the application is vulnerable to injection.

Test input encoding:
Test whether the application properly encodes user input before using it to build LDAP queries. Attempt to bypass any encoding or filtering mechanisms in place.

Test for blind LDAP Injection:
Test for blind LDAP Injection by injecting queries that do not return any visible results. This can be more difficult, but it is still possible to identify vulnerabilities in this way.

Use automated tools:
Use automated tools such as ldap_injection, Burp Suite, or sqlmap to help identify vulnerabilities and generate test cases.

Verify the results:
Verify that any identified vulnerabilities are real by attempting to exploit them and testing the impact on the LDAP server and web application.

Document the results:
Document any vulnerabilities, including the attack vector, impact, and potential mitigations, and report them to the appropriate parties.

For study LDAP Injection

OWASP: The Open Web Application Security Project (OWASP) provides an overview of LDAP Injection, including the risks and potential impact of this vulnerability. OWASP also provides guidance on how to prevent LDAP Injection, as well as testing techniques to identify potential vulnerabilities.

SANS Institute: The SANS Institute provides training and certification programs in information security, including a course on web application penetration testing that covers LDAP Injection. The course covers the basics of LDAP Injection, as well as more advanced topics such as blind LDAP Injection.

NIST: The National Institute of Standards and Technology (NIST) provides guidelines and best practices for secure software development, including recommendations for preventing LDAP Injection. The guidelines cover how to validate user input, sanitize LDAP queries, and avoid common coding mistakes that can lead to vulnerabilities.

Books: There are several books available on web application security that cover LDAP Injection in detail, including “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto, and “Hacking Web Applications: The Art of Hacking Series” by Dafydd Stuttard.

Online courses: There are also several online courses available that cover LDAP Injection, including courses on popular e-learning platforms such as Udemy and Coursera.

Practice: Practicing testing for LDAP Injection in a lab environment can also be a helpful way to learn. Set up a test environment with an LDAP server and a web application that interacts with the server, and practice testing for vulnerabilities using manual techniques and automated tools.

Books with review of LDAP Injection

“Web Application Security: A Beginner’s Guide” by Bryan Sullivan and Vincent Liu – This book provides an introduction to web application security and includes a section on LDAP Injection. It covers the basics of how LDAP works, and provides examples of how to detect and prevent injection attacks.

“The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – This book is a comprehensive guide to web application security testing and covers LDAP Injection in detail. It provides a detailed explanation of how LDAP Injection attacks work and how to prevent them.

“Hacking Web Applications: The Art of Hacking Series” by Dafydd Stuttard – This book covers a wide range of web application hacking techniques, including LDAP Injection. It provides step-by-step examples of how to perform LDAP Injection attacks and how to prevent them.

“Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz – This book provides a guide to using Python for hacking and pentesting, including examples of how to exploit LDAP Injection vulnerabilities.

“The Tangled Web: A Guide to Securing Modern Web Applications” by Michal Zalewski – This book provides a comprehensive overview of web application security and covers LDAP Injection in detail. It includes examples of how to detect and prevent injection attacks.

“Gray Hat Hacking: The Ethical Hacker’s Handbook” by Allen Harper, Daniel Regalado, and Ryan Linn – This book provides a guide to ethical hacking techniques and includes a section on LDAP Injection. It covers how to identify and exploit LDAP Injection vulnerabilities, and how to prevent them.

“The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy” by Patrick Engebretson – This book is an introductory guide to hacking and pentesting, and includes a section on LDAP Injection. It covers the basics of how LDAP Injection attacks work, and how to prevent them.

“Penetration Testing: A Hands-On Introduction to Hacking” by Georgia Weidman – This book provides a guide to penetration testing and includes a section on LDAP Injection. It covers how to identify and exploit LDAP Injection vulnerabilities, and how to prevent them.

“Professional Penetration Testing: Creating and Operating a Formal Hacking Lab” by Thomas Wilhelm – This book provides a guide to creating and operating a penetration testing lab, and includes a section on LDAP Injection. It covers how to identify and exploit LDAP Injection vulnerabilities, and how to prevent them.

“The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities” by Mark Dowd, John McDonald, and Justin Schuh – This book provides a comprehensive guide to software security, including a section on LDAP Injection. It covers how to identify and prevent LDAP Injection vulnerabilities, as well as other common security flaws.

List of payloads LDAP Injection

Here is a list of some common LDAP Injection payloads:

  1. *
  2. *)(uid=*))(|(uid=
  3. )(uid=
  4. ou=<script>alert(1)</script>
  5. admin)(!(cn=
  6. (&(objectClass=*)(uid=*))
  7. */*
  8. *)(uid=*
  9. |(objectClass=*)
  10. &<script>alert(1)</script>
  11. )(uid=*))(|(uid=*
  12. */*
  13. (&(objectClass=*))
  14. (%29%28%0A%28%26%28%0A%28%26%28%0A
  15. |(uid=*))
  16. *
  17. *)(&#x00
  18. )(objectClass=*)
  19. *)(uid=*))(|(uid=
  20. ))(|(password=*))

How to be protected from LDAP Injection

  1. Input validation: Ensure that all input received from the user is properly validated and sanitized before it is used to construct LDAP queries. This includes checking the input data for type, length, and format to make sure it conforms to expected values.

  2. Parameterized queries: Use parameterized queries instead of string concatenation to construct LDAP queries. Parameterized queries separate the query and its parameters, which prevents attackers from injecting malicious input into the query.

  3. Principle of Least Privilege: Limit the permissions of the user account used to perform LDAP queries. Only grant the minimum necessary permissions to the account to perform its tasks. This can help to minimize the impact of an LDAP Injection attack.

  4. Sanitization of user input: Remove special characters and symbols from user input, such as quotes and semicolons, to prevent malicious users from injecting commands.

  5. Regularly update and patch systems: Keep the software and systems up to date with the latest patches and updates to protect against known vulnerabilities.

  6. Use a web application firewall: Implement a web application firewall that can detect and block LDAP Injection attacks.

  7. Training and awareness: Train developers and system administrators on how to recognize and prevent LDAP Injection attacks. This includes understanding the risks associated with LDAP Injection and best practices for secure coding and configuration.

Mitigations for LDAP Injection

  1. Use Input validation: Ensure that all input received from the user is properly validated and sanitized before it is used to construct LDAP queries. This includes checking the input data for type, length, and format to make sure it conforms to expected values.

  2. Parameterized queries: Use parameterized queries instead of string concatenation to construct LDAP queries. Parameterized queries separate the query and its parameters, which prevents attackers from injecting malicious input into the query.

  3. Principle of Least Privilege: Limit the permissions of the user account used to perform LDAP queries. Only grant the minimum necessary permissions to the account to perform its tasks. This can help to minimize the impact of an LDAP Injection attack.

  4. Use Prepared Statements: If you are building the LDAP queries manually then use prepared statements to escape user inputs before submitting them to LDAP queries.

  5. Sanitization of user input: Remove special characters and symbols from user input, such as quotes and semicolons, to prevent malicious users from injecting commands.

  6. Regularly update and patch systems: Keep the software and systems up to date with the latest patches and updates to protect against known vulnerabilities.

  7. Use a web application firewall: Implement a web application firewall that can detect and block LDAP Injection attacks.

  8. Use Application-level Permissions: Use application-level permissions that enforce access controls to protect against unauthorized access.

  9. User Authentication: Proper authentication should be implemented to ensure that only authenticated users are allowed to perform LDAP queries.

  10. Disable anonymous binding: Disable anonymous binding in your LDAP server to prevent unauthorized access to LDAP directory.

Conclusion

LDAP Injection is a serious security threat that can be exploited by attackers to gain unauthorized access to sensitive information and systems. It occurs when an attacker injects malicious input into an LDAP query, which can result in the execution of unintended and potentially harmful commands. LDAP Injection can be prevented through a combination of input validation, parameterized queries, the principle of least privilege, and other mitigation techniques. It is important for organizations to be aware of this vulnerability and take appropriate measures to protect their systems and data from exploitation. Regular security testing and updates can help to identify and remediate any vulnerabilities before they can be exploited by attackers.

Other Services

Ready to secure?

Let's get in touch