How To Test For LDAP Injection

How To Test For Insecure Cryptographic Storage

Detecting LDAP Injection

If you are not already familiar with the concept of LDAP Injection, we suggest that you review the article entitled “What Is LDAP Injection ?“.

You should consider testing for LDAP Injection anytime that user supplied input is used to search for information that might be stored in a directory service.  In white-box testing scenarios, you will know where to test for LDAP Injection.  In black-box scenarios, you will include some LDAP sentinel payloads in your fuzzing tests and must be ready to recognize the manifestations of successful LDAP Injection.

First, it is useful to understand some of the characters that have special meaning in LDAP Search Filters.  A partial list follows:

Character
Meaning
*
Wildcard representing >=0 of any characters
(  )
Surrounds an expression
&
Logical "and" (Prefix operator)
|
Logical "or" (Prefix operator)

It is also useful to know about two expressions whose meaning is important for testing purpose but whose value is not obvious:

Expression
Meaning
(&)
Always True
(|)
Always False

Testing For LDAP Injection With An Asterisk (*)

Setting the value of a field to be an asterisk (‘*’) as a test case will inform you:

  • Whether the application will reject the character due to input validation
  • Whether the character is interpreted as a wildcard.  You must be alert for interesting changes in application behavior or results.  A successful query when using an asterisk suggests that LDAP Injection is possible.  Depending on the application’s requirements, the return of additional (or multiple) records can mean the asterisk is broadening the criteria of the search.
  • Whether the asterisk is being neutralized.  If there is no error and no results, OR only results matching the asterisk entered, it likely means that the meta-character has no special meaning.

Since the right-parenthesis closes an expression, it is probably worth also trying each of the following and observing the result:

*
*)
*))
*)))

Note that the trailing right-parenthesis are added to close and terminate any open expressions in the Search Filter we are injecting into.  (There is no “comment” character sequence as there is in SQL).  As was the case with the asterisk, if the input is not rejected, then you should examine the results for interesting changes or application behaviors.

Testing For LDAP Injection With (&) and (|)

The application may be injecting the untrusted input into a compound logical expression such as:

(& (userid=USER_PARAM)(password=PWD_PARAM))

Additional testing insights can be found here.

For insight into how to avoid or fix LDAP Injection vulnerabilities, please see the article entitled “How To Prevent LDAP Injection“.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and/or to train your developers and testers. Contact us to learn how to partner with us to protect your enterprise.

Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.