If not redirected, please click here https://www.thesecuritybuddy.com/vulnerabilities/what-is-ldap-injection-attack/
Sometimes web applications do not take
proper cautions in processing user inputs and use them in the server
without sanitizing it properly. And, attackers take advantage of that
for perpetrating attacks. LDAP Injection Attack is one such attack,
in which the attackers exploit web applications that construct LDAP
statements using unsafe user inputs without taking proper
precautions.
Let's understand what this attack
basically is.
What is LDAP
Suppose, we are using an email client
and want to look for an email address before sending out an email. We
can do that easily if the person is present in the addressbook.
But, think of a big organization where
thousands of employees are present and we want to look for an email
address of someone whom we never sent an email before. This problem
can be resolved efficiently using LDAP or Lightweight Directory
Access Protocol.
In LDAP, an LDAP server is maintained
and an LDAP client, can use LDAP APIs to contact the LDAP Server and
access information. For example, if we want to search for email
address of a person named 'John' who lives in San Francisco, we would
type in the information in the LDAP Client program. The LDAP Client
will then contact the LDAP Server using LDAP APIs and information
will be retrieved.
LDAP is used for looking up not only
contact information, but also encryption certificate, pointers to
printers and other services on network like single sign-on, where a
single password is used to login to all services in the organization.
LDAP basically is an application
protocol and is used to maintain distributed directory information
services over an IP network. It indexes all the data related to some
distributed internet directory in a simple tree hierarchy and
retrieves them efficiently when required.
How is LDAP Injection Attack perpetrated
Suppose, a web application of a company authenticates an employee with his username and password and gives access to sensitive applications.
Now, the login page typically will have two boxes, for username and password. And, taking inputs from an employee, it will authenticate the employee.
Suppose, the web application creates an LDAP query string from the user inputs and makes corresponding LDAP query to the server to get response. And suppose, the web application is vulnerable to LDAP Injection Attacks, as it does not sanitize the user inputs properly before making the LDAP query string.
At this point, suppose an attacker gives 'johns)(&)' as username and any random value as password.
That would make an LDAP query something like this :
(&(USERNAME=johns)(&)(PASSWORD=somerandomvalue))
This query string would be sent to the LDAP server, but the server would process only the first part of the query :
&(USERNAME=johns)(&)
As a result, if johns is a valid username, the attacker can now impersonate the user to the web application and exploit it for malicious purposes.
This is a simple example of LDAP Injection Attack. Attackers can perpetrate even more complex attacks depending on the actual vulnerabilities.
Mitigation
- User supplied data must be sanitized properly so that it does not contain any string or character that can be used maliciously. Inputs containing only some allowable characters should be used and regular expressions should be avoided.
- Before an output is returned to the user, it should be verified that it contains only the specific information. Amount of data returned by a query can be restricted.
- LDAP should be configured cautiously, so that there is proper access control on the LDAP directiory. Access level used by the web application should be minimal.
No comments:
Post a Comment