AppSec Tales XXII | LDAPI

Application Security Testing for LDAP Injections.

INTRODUCTION

The article describes how to test the application to find LDAP Injections, which happens when it uses unsanitized user input to construct LDAP queries and then send them further to the LDAP server.

LDAP server uses a filter-based query syntax described in RFC 4515 — LDAP: String Representation of Search Filters. Below are a few examples:

# Matches any user ID starting with Karol:
(uid=Karol*)(userPassword=*)

# Uses the NOT operator(!).
# Matches entries where the user ID does not start with Karol:
(!(uid=Karol*)) 

# Uses the AND operator(&).
# Matches entries with user IDs starting with K and having any password:
(&(uid=K*)(userPassword=*))

# Uses the OR operator(|).
# Matches user IDs starting with Karol or A
(|(uid=Karol*)(uid=A*))

# Combined - NOT(!) Karol, BUT(|) starting from K AND(&) have any password:
(&(|(!(uid=Karol))(uid=K*))(userPassword=*))

GUIDELINES

In the below guidelines, I assume that you identified the application entry points described in the AppSec Tales XI | Input Validation: