Security Knowledge Framework
  • Introduction
  • Auth Bypass
    • Python - Auth Bypass
    • NodeJS - Auth Bypass
  • Auth Bypass - 1
    • Python - Auth Bypass - 1
    • NodeJS - Auth Bypass - 1
    • Java - Auth Bypass - 1
  • Auth Bypass - 2
    • Python - Auth Bypass - 2
    • NodeJS - Auth Bypass - 2
    • Java - Auth Bypass - 2
  • Auth-bypass - 3
    • Python - Auth-bypass - 3
    • NodeJS - Auth-bypass - 3
    • Java - Auth-bypass - 3
  • Auth-bypass - Simple
    • Python - Auth-bypass - Simple
    • NodeJS - Auth-bypass - Simple
    • Java - Auth-bypass - Simple
  • Client Side Restriction Bypass
    • Python - Client Side Restriction Bypass
    • NodeJS - Client Side Restriction Bypass
    • Java - Client Side Restriction Bypass
  • Client Side Restriction Bypass - Harder
    • Python - Client Side Restriction Bypass - Harder
    • NodeJS - Client Side Restriction Bypass - Harder
    • Java - Client Side Restriction Bypass - Harder
  • Client Side Template Injection (CSTI)
    • Python - Client Side Template Injection (CSTI)
    • NodeJS - Client Side Template Injection (CSTI)
    • Java - Client Side Template Injection (CSTI)
  • Command Injection (CMD)
    • Python - Command Injection (CMD)
    • NodeJS - Command Injection (CMD)
    • Java - Command Injection (CMD)
  • Command Injection 2 (CMD-2)
    • Python - Command Injection 2 (CMD-2)
    • NodeJS - Command Injection 2 (CMD-2)
    • Java - Command Injection 2 (CMD-2)
  • Command Injection 3 (CMD-3)
    • Python - Command Injection 3 (CMD-3)
    • Java - Command Injection 3 (CMD-3)
  • Command Injection 4 (CMD-4)
    • Python - Command Injection 4 (CMD-4)
    • NodeJS - Command Injection 4 (CMD-4)
    • Java - Command Injection 4 (CMD-4)
  • Command Injection Blind (CMD-Blind)
    • Python - Command Injection Blind (CMD-Blind)
    • NodeJS - Command Injection Blind (CMD-Blind)
    • Java - Command Injection Blind (CMD-Blind)
  • Content-Security-Policy (CSP)
    • Python - Content-Security-Policy (CSP)
    • NodeJS - Content-Security-Policy (CSP)
    • Java - Content-Security-Policy (CSP)
  • CORS exploitation
    • Python - CORS exploitation
    • Java - CORS exploitation
  • Credentials Guessing
    • Python - Credentials Guessing
    • NodeJS - Credentials Guessing
    • Java - Credentials Guessing
  • Credentials Guessing - 2
    • Python - Credentials Guessing - 2
    • NodeJS - Credentials Guessing - 2
    • Java - Credentials Guessing - 2
  • Cross Site Scripting (XSS)
    • Python - XSS
    • NodeJS - XSS
    • Java - XSS
  • Cross Site Scripting - Attribute (XSS-Attribute)
    • Python - XSS-Attribute
    • NodeJS - XSS-Attribute
  • Cross Site Scripting - href (XSS-href)
    • Python - XSS-href
    • NodeJS - XSS-href
    • Java - XSS-href
  • Cross Site Scripting - DOM (XSS-DOM)
    • Python - XSS-DOM
    • NodeJS - XSS-DOM
    • Java - XSS-DOM
  • Cross Site Scripting - DOM-2 (XSS-DOM-2)
    • Python - XSS-DOM-2
    • NodeJS - XSS-DOM-2
    • Java - XSS-DOM-2
  • Cross Site Scripting - Stored (XSS-Stored)
    • Java - XSS-Stored
  • CSRF
    • Python - CSRF
    • NodeJS - CSRF
    • Java - CSRF
  • CSRF - Samesite
    • Python - CSRF-SameSite
    • NodeJS - CSRF-SameSite
    • Java - CSRF-SameSite
  • CSRF - Weak
    • Python - CSRF-Weak
    • NodeJS - CSRF-Weak
    • Java - CSRF-Weak
  • CSS Injection (CSSI)
    • Python - CSS Injection (CSSI)
    • NodeJS - CSS Injection (CSSI)
    • Java - CSS Injection (CSSI)
  • Deserialisation Java (DES-Java)
    • Java - Deserialisation Java (DES-Java)
  • Deserialisation Yaml (DES-Yaml)
    • Python - Deserialisation Yaml (DES-Yaml)
  • Deserialisation Pickle (DES-Pickle)
    • Python - Deserialisation Pickle (DES-Pickle)
  • Deserialisation Pickle 2 (DES-Pickle-2)
    • Python - Deserialisation Pickle 2 (DES-Pickle-2)
  • DoS Regex
    • Python - DoS Regex
    • NodeJS - DoS Regex
    • Java - DoS Regex
  • File upload
    • Python - File-Upload
    • NodeJS - File-Upload
    • Java - File-Upload
  • Formula Injection
    • Python - Formula Injection
    • NodeJS - Formula Injection
    • Java - Formula Injection
  • GraphQL DOS
    • Python - GraphQL DOS
  • GraphQL IDOR
    • Python - GraphQL IDOR
    • NodeJS - GraphQL IDOR
    • Java - GraphQL IDOR
  • GraphQL Injections
    • Python - GraphQL Injections
    • NodeJS - GraphQL Injections
    • Java - GraphQL Injections
  • GraphQL Introspection
    • Python - GraphQL Introspection
    • NodeJS - GraphQL Introspection
    • Java - GraphQL Introspection
  • GraphQL Mutations
    • Python - GraphQL Mutations
    • NodeJS - GraphQL Mutations
    • Java - GraphQL Mutations
  • Host Header Injection (Authentication Bypass)
    • Python - HttpOnly Session Hijacking XSS
  • HttpOnly Session Hijacking XSS
    • Python - HttpOnly Session Hijacking XSS
    • NodeJS - HttpOnly Session Hijacking XSS
    • Java - HttpOnly Session Hijacking XSS
  • Information Leakeage in Comments
    • Python - Information Leakeage in Comments
    • NodeJS - Information Leakeage in Comments
    • Java - Information Leakeage in Comments
  • Information Leakeage in Metadata
    • Python - Information Leakeage in Metadata
    • NodeJS - Information Leakeage in Metadata
    • Java - Information Leakeage in Metadata
  • Insecure Direct Object References (IDOR)
    • Python - Insecure Direct Object References (IDOR)
    • NodeJS - Insecure Direct Object References (IDOR)
    • Java - Insecure Direct Object References (IDOR)
  • JWT Null
    • Python - JWT Null
    • NodeJS - JWT Null
    • Java - JWT Null
  • JWT Secret
    • Python - JWT Secret
    • NodeJS - JWT Secret
    • Java - JWT Secret
  • Ldap Injection
    • Python - Ldap Injection
    • NodeJS - Ldap Injection
    • Java - Ldap Injection
  • Ldap Injection - harder
    • Python - Ldap Injection - harder
    • NodeJS - Ldap Injection - harder
    • Java - Ldap Injection - harder
  • Local File Inclusion 1 (LFI-1)
    • Python - Local File Inclusion 1 (LFI-1)
    • NodeJS - Local File Inclusion 1 (LFI-1)
    • Java - Local File Inclusion 1 (LFI-1)
  • Local File Inclusion 2 (LFI-2)
    • Python - Local File Inclusion 2 (LFI-2)
    • NodeJS - Local File Inclusion 2 (LFI-2)
    • Java - Local File Inclusion 2 (LFI-2)
  • Local File Inclusion 3 (LFI-3)
    • Python - Local File Inclusion 3 (LFI-3)
    • NodeJS - Local File Inclusion 3 (LFI-3)
    • Java - Local File Inclusion 3 (LFI-3)
  • Parameter Binding
    • Ruby - Parameter Binding
    • NodeJS - Parameter Binding
    • Java - Parameter Binding
  • Prototype Pollution
    • NodeJS - Prototype Pollution
  • Race Condition
    • Python - Race Condition
    • NodeJS - Race Condition
    • Java - Race Condition
  • Race Condition File-Write
    • Python - Race Condition File-Write
    • NodeJS - Race Condition File-Write
    • Java - Race Condition File-Write
  • Ratelimiting (Brute-force login)
    • Python - Ratelimiting
    • NodeJS - Ratelimiting
    • Java - Ratelimiting
  • Remote File Inclusion (RFI)
    • Python - Remote File Inclusion (RFI)
    • NodeJS - Remote File Inclusion (RFI)
    • Java - Remote File Inclusion (RFI)
  • Right To Left Override (RTLO)
    • Python - Right To Left Override (RTLO)
    • NodeJS - Right To Left Override (RTLO)
    • Java - Right To Left Override (RTLO)
  • Server Side Request Forgery (SSRF)
    • Python - Server Side Request Forgery (SSRF)
    • NodeJS - Server Side Request Forgery (SSRF)
  • Server Side Template Injection (SSTI)
    • Python - Server Side Template Injection (SSTI)
    • Java - Server Side Template Injection (SSTI)
  • Session Hijacking XSS
  • Session Puzzling
    • Python - Session Puzzling
    • NodeJS - Session Puzzling
    • Java - Session Puzzling
  • Session Management 1
    • Python - Session Management 1
  • SQLI (Union)
    • Python - SQLI (Union)
    • NodeJS - SQLI (Union)
    • Java - SQLI (Union)
  • SQLI Login Bypass
    • Python - Login Bypass
  • SQLI (Like)
    • Python - SQLI (Like)
    • NodeJS - SQLI (Like)
    • Java - SQLI (Like)
  • SQLI (Blind)
    • Python - SQLI (Blind)
    • NodeJS - SQLI (Blind)
    • Java - SQLI (Blind)
  • TLS Downgrade
    • Python - TLS Downgrade
  • Untrusted Sources (XSSI)
    • Python - Untrusted Sources (XSSI)
    • NodeJS - Untrusted Sources (XSSI)
    • Java - Untrusted Sources (XSSI)
  • URL Redirection
    • Python - URL Redirection
    • NodeJS - URL Redirection
    • Java - URL Redirection
  • URL Redirection - Harder
    • Python - URL Redirection - Harder
    • NodeJS - URL Redirection - Harder
    • Java - URL Redirection - Harder
  • URL Redirection - Harder-2
    • Python - URL Redirection - Harder-2
    • NodeJS - URL Redirection - Harder-2
    • Java - URL Redirection - Harder-2
  • WebSocket Message Manipulation
    • Python - WebSocket Message Manipulation
  • XML External Entity (XXE)
    • Python - XXE
    • NodeJS - XXE
    • Java - XXE
  • Exposed docker daemon
    • Python - Exposed docker daemon
  • Insecure Random
    • Python - Insecure Random
  • template item
Powered by GitBook
On this page
  • Running the app on Docker
  • Reconnaissance
  • Exploitation
  • Additional sources

Was this helpful?

Edit on GitHub
Export as PDF
  1. Ldap Injection

Python - Ldap Injection

PreviousLdap InjectionNextNodeJS - Ldap Injection

Last updated 2 years ago

Was this helpful?

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:ldap-injection
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:ldap-injection

Now that the app is running let's go hacking!

Reconnaissance

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

Let's open the app.

Trying to loggin with a random username and password.

The application architecture that supports LDAP includes both server-side and client-side components. The LDAP queries submitted to the server are known as LDAP search filters, which are constructed using prefix notation. Below is an example of an LDAP search filter:

find("(&(cn=" + username +")(userPassword=" + pass +"))")

This prefix filter notation instructs the query to find an LDAP node with the given username and password.

Exploitation

Let's check ldap-injection.py.

search_filter = "(&(cn="+username+")(sn="+password+"))"

We can see that the filter is constructed by concatenating the username and password directly into the filter without proper sanitization. If we replace the username and password with a special character we can bypass authentication controls. Using * as the username and password will result in a successful login.

search_filter = "(&(cn=" * ")(sn=" * "))";

We successfully logged in as the Admin.

Additional sources

LogoLDAP Injection | OWASP Foundation
LogoLDAP Injection Prevention - OWASP Cheat Sheet Series
LogoWhat Is LDAP Injection and How Does It Work? | Synopsyssynopsys