Today I cleared "Information Technology Security Fundamentals" test in brainbench. Now I am brainbench Certified Professional in "Information Technology Security Fundamentals".
Introduction:
Now a days, one of the growing attacks on publicly hosted information directories is LDAP Injection attack. In this article I will explain, what is LDAP, LDAP Injection, How LDAP Injection attack occurs and finally counter measures required to mitigate LDAP Injection.
What is LDAP:
The Lightweight Directory Access Protocol (LDAP) provides a mechanism for connecting to, searching, and modifying internet directories. LDAP statements (or Queries) used to retrieve data from information directories.
What is LDAP Injection:
A LDAP (Lightweight Directory Access Protocol) injection attack exploits vulnerabilities in input validation to run arbitrary LDAP statements against information directories. It can occur when your application uses input to construct dynamic LDAP statements to access directory services. Using the LDAP injection attack, the attacker can execute arbitrary statements against the directory services.
Litmus test for LDAP Injection:
The most common way to detect the LDAP Injection attack is:
- Identify entry points that collect user input such as text boxes, query string parameters, etc.
- Insert any character (‘(‘, ‘|’, ‘&’) as an input and submit the request.
- Identify whether an exception/error message was generated relating to LDAP (e.g., Page cannot be displayed).
* Please note that the exception may be logged therefore simply checking the UI for an error message will no be sufficient.
* Also please not that sometime you may get blank page in the browser, which means LDAP Query executed successfully. Based on few observations in the query you can modify LDAP statements to do more damage.
Vulnerabilities which causes LDAP Injection:
- Application building dynamic LDAP statements at runtime with un trusted user input
Application/Component which constructs LDAP statements at run time. The filter part is a bit more complicated and provides the mechanism for LDAP injections.
As example:
strLDAPStmt = some attribute= + Request.QueryString(“userinput”)
//query becomes ‘(some attribute=user input)(|(cn=*))’
Countermeasures:
First line of security defense is never trust user input. Always validate user input for type, pattern & domain
Type validation:
Ex: int userinput = Convert.ToInt32(Request.Querystring(“userinput”)
Pattern validation:
Ex: string email = Regex.IsMatch(Request.Querystring(“email”),” ^.+@[^\.].*\.[a-z]{2,}$” )
Domain values validation:
Ex: string country = Request.Querystring(“country”) in {“USA”, “UK”}