Wednesday, January 27, 2016

What is LDAP Injection Attack ?




Sometimes web applications do not take proper cautions in processing user inputs and use them in the server without sanitizing it properly. And, attackers take advantage of that for perpetrating attacks. LDAP Injection Attack is one such attack, in which the attackers exploit web applications that construct LDAP statements using unsafe user inputs without taking proper precautions.

Let's understand what this attack basically is.



What is LDAP


Suppose, we are using an email client and want to look for an email address before sending out an email. We can do that easily if the person is present in the addressbook.

But, think of a big organization where thousands of employees are present and we want to look for an email address of someone whom we never sent an email before. This problem can be resolved efficiently using LDAP or Lightweight Directory Access Protocol.


In LDAP, an LDAP server is maintained and an LDAP client, can use LDAP APIs to contact the LDAP Server and access information. For example, if we want to search for email address of a person named 'John' who lives in San Francisco, we would type in the information in the LDAP Client program. The LDAP Client will then contact the LDAP Server using LDAP APIs and information will be retrieved.


LDAP is used for looking up not only contact information, but also encryption certificate, pointers to printers and other services on network like single sign-on, where a single password is used to login to all services in the organization.


LDAP basically is an application protocol and is used to maintain distributed directory information services over an IP network. It indexes all the data related to some distributed internet directory in a simple tree hierarchy and retrieves them efficiently when required.



How is LDAP Injection Attack perpetrated





Suppose, a web application of a company authenticates an employee with his username and password and gives access to sensitive applications.


Now, the login page typically will have two boxes, for username and password. And, taking inputs from an employee, it will authenticate the employee.


Suppose, the web application creates an LDAP query string from the user inputs and makes corresponding LDAP query to the server to get response. And suppose, the web application is vulnerable to LDAP Injection Attacks, as it does not sanitize the user inputs properly before making the LDAP query string.


At this point, suppose an attacker gives 'johns)(&)' as username and any random value as password.

That would make an LDAP query something like this :


(&(USERNAME=johns)(&)(PASSWORD=somerandomvalue))


This query string would be sent to the LDAP server, but the server would process only the first part of the query :


&(USERNAME=johns)(&)

As a result, if johns is a valid username, the attacker can now impersonate the user to the web application and exploit it for malicious purposes.


This is a simple example of LDAP Injection Attack. Attackers can perpetrate even more complex attacks depending on the actual vulnerabilities.





Mitigation

  • User supplied data must be sanitized properly so that it does not contain any string or character that can be used maliciously. Inputs containing only some allowable characters should be used and regular expressions should be avoided.
  • Before an output is returned to the user, it should be verified that it contains only the specific information. Amount of data returned by a query can be restricted.
  • LDAP should be configured cautiously, so that there is proper access control on the LDAP directiory. Access level used by the web application should be minimal.
This article was meant to give information on another security vulnerability of web applications. Hope it solved its purpose.

No comments:

Post a Comment