While searching for some security papers, I’ve been looking for something about LDAP injections.
Let’s have a look on what OWASP says on their site:
The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
There is a problem here: there are some big differences between SQL and LDAP, which lead to differences in security:
- in SQL, commands and values are expressed in the same input (a string containing a command). Several commands can be specified in one string:
"SELECT field FROM table WHERE ...; DROP TABLE xx;"
- while in LDAP, the filter contains only filter parameters, in a specific representation (RFC 2254). This representation uses a prefixed form (boolean operator comes before the fields), and each field must be enclosed between parenthesis.:
"( & (uid=john.doe) (objectClass=person) )
OWASP gives some examples, for a filter (cn=%s):
- If a user puts “*” on box search, the system may return all the usernames on the LDAP base
- If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password
What ? One could make an application display the password ?!
The first line is true: any filter like (uid=*) will return all users
having …