Successfully reported this slideshow.
Your SlideShare is downloading. ×

Persistant Cookies and LDAP Injection

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 48 Ad

Persistant Cookies and LDAP Injection

Download to read offline

The presentation is on Persistent Cookies and LDAP Injection. Persistent cookies stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. The session will cover introduction to Persistent Cookies and applicable test-cases with respect to Web Application Penetration Testing. In LDAP Injection section, the presentation will cover: Understanding Active Directory, Understanding LDAP and How does LDAP Injection work.

The presentation is on Persistent Cookies and LDAP Injection. Persistent cookies stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. The session will cover introduction to Persistent Cookies and applicable test-cases with respect to Web Application Penetration Testing. In LDAP Injection section, the presentation will cover: Understanding Active Directory, Understanding LDAP and How does LDAP Injection work.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to Persistant Cookies and LDAP Injection (20)

Advertisement

Persistant Cookies and LDAP Injection

  1. 1. Understanding Persistent Cookies and LDAP injection A session by: Maulik Lakhani Security Analyst and former Team Lead
  2. 2. Passionate Cybersecurity Analyst working in VAPT, Application Security Assessment domain. Worked as Team Lead in 2 organizations. Handled team of 15-20 in 3 organizations. Skilled at VAPT of Web, Android and APIs. I specialize in JS encryption, GraphQL, custom Frida scripts and, root detection bypass, and SafetyNet bypass. Currently working as SecurityAnalyst 3 at Ernst andYoungGDS Worked as Associate Information Security Analyst at Indusface https://www.linkedin.com/in/mauliklakhani/ https://twitter.com/MaulikxLakhani Worked as Brand Executive at Alma Mater Biz Solutions
  3. 3. ➢ Outline Understanding cookies How persistent cookies work? Understanding Active Directory and LDAP How LDAP Injection work? Questions andAnswer session
  4. 4. SessionCookies • Temporary cookie files stored in browser memory and never written to disk. • Gets erased when you close browser. If you go back to the site, it’ll not recognize you. Persistent cookies • Stay on your hard drive (one of your browser's subfolders) until they expire or get deleted. ➢ Understanding cookies
  5. 5. SessionCookies • If a cookie does not specify an expiration date, the cookie is removed once the user quits browser. Hence, these are used for managing sessions. Persistent cookies • Have an future expiration date which controls how long they last. • Cookie setter specifies a deletion date, the cookie will be removed on that date. ➢ Are both cookies the same?
  6. 6. ➢ Use cases for persistent cookies User identification User tracking Menu preferences Theme selection Languagepreferences Persistent cookies enable following functionalities:
  7. 7. ➢ How persistent cookies work? Login Browser sets cookies Browser is closed, session cookies get deleted Persistent cookies remain intact User visits the site again Persistent cookies are sent Web app recognizes the user
  8. 8. ➢ How non-persistent cookies work? public void SetNonPersistentCookies(string name, string value) { HttpCookie cookie = new HttpCookie(name); cookie.Value = value; Response.Cookies.Add(cookie); } Setting up a session cookie in ASP.NET Function call: SetNonPersistentCookies(“ASPSESSIONID”,”47a04x3”);
  9. 9. ➢ How persistent cookies work? public void SetPersistentCookies(string name, string value) { HttpCookie cookie = new HttpCookie(name); cookie.Value = value; cookie.Expires = Convert.ToDateTime(“10/10/2020″); Response.Cookies.Add(cookie); } Setting up a persistent cookie in ASP.NET Function call: SetPersistentCookies(“UserName”,”Maulik”); SetPersistentCookies(“Language”,”en-us”);
  10. 10. ➢ How persistent cookies work? setcookie("emailCookie",$email, time()+60*60*24*365*10); PHP code to set a cookie to expire in 10 years: from django.http.response import HttpResponse ... def view_method(request): res = HttpResponse() res.set_cookie("emailCookie",email, expires=time()+60*60*24*365*10, secure=True, httponly=True) return res Python code to set a cookie to expire in 10 years:
  11. 11. ➢ Security Impact Persistent cookies are often set to expire in the distant future. If private information is stored in persistent cookies, attackers have a larger time window to steal it. Persistent cookies are often used to profile users as they interact with a site. Web application functionality might be exploited by manipulating the values of the persistent cookies. This can lead to session and authorization related vulnerabilities.
  12. 12. ➢ How to test After login, check which cookies are stored as persistent cookies Analyze the information stored in persistent cookies Check whether the cookie value is related to a functionality or level of access Examples: 1) UserID=50 2) isAdmin=true 3) isAdmin=1, 4) functionality=dashboard,account,users Manipulate the values of the persistent cookies to exploit application functionality. This can lead to authorization related vulnerabilities: Privilege Escalation, Account Takeover.
  13. 13. ➢ Demo
  14. 14. ➢ Got questions?
  15. 15. ➢ Understanding Active Directory Directory-based identity-related service. Provides authentication and authorization mechanisms. A database and set of services that connect users with the network resources Allows management and storage of information. Stores data as objects. An object is a single element, such as a user, group, application or device like a printer.
  16. 16. ➢ Understanding Active Directory OU = Organizational Unit
  17. 17. ➢ Understanding Active Directory OU = Organizational Unit
  18. 18. ➢ Understanding LDAP Lightweight Directory Access Protocol is more efficient, consumes less resources than DAP. A protocol to query (receive) information from LDAP Server. LDAP Server stores authentication information such as usernames and passwords. This allows different applications and services to connect to the LDAP server to validate users.
  19. 19. ➢ How does LDAP work LDAP mechanism is based on DN (distinguished name). It’s like a unique identifier.These are sometimes used to access resources, like a username.A DN might look like: ▪ CommonOperators: o “=” (equal to) o & (logical and) o | (logical or) o ! (logical not) o * (wildcard) ▪ Filters: cn=RichardFeynman,ou=Physics Department,dc=Caltech,dc=edu uid=inewton,ou=MathematicsDepartment,dc=Cambridge,dc=com LDAP queries submitted to the server are known as LDAP search filters, which are constructed using prefix notation. o CN = Common Name o OU = Organizational Unit o DC = Domain Component o UID = User ID
  20. 20. ➢ How LDAP authentication works Account holder enters the credentials. LDAP server validates the account credentials. If credentials are correct, authentication is successful. login.php?name=admin&password=secret find("(&(cn=" + username +")(userPassword=" + pass +"))")
  21. 21. ➢ LDAP Injection in Authentication
  22. 22. ➢ LDAP Injection in Authentication
  23. 23. ➢ LDAP Injection in Authentication Hey! Does this user exists in your records? Let me check… Checking… YES! Alright! then user is valid. I’ll approve login and assign session ID.Thanks! Session_ID=A2b4384knb89123g
  24. 24. ➢ LDAP Injection in Authentication An example of an LDAP search filter: This prefix filter notation instructs the query to find an LDAP node with the given username and password. o If user-controlled values are appended to the LDAP search filter without any validation or sanitization, a value of ‘*’ changes the intended meaning of the query and returns a list of all users. ▪ Attack Scenario: o If the username value is set to admin)(&)) the effective search filter becomes: (&user=admin)(&))(Password=)) The highlighted condition in the above query evaluates to true.The attacker gains access without having valid password. o A tester can use a trial-and-error approach, by inserting '(', '|', '&', '*' and the other characters to check the application for errors. (&(User=Uname)(Password=Pwd))
  25. 25. ➢ LDAP Injection in Authentication Attacker injects a payload Application accepts the payload, ignores the password. Performs a search for Admin account. Upon success authentication; Session will be created. If admin account is present, LDAP server will proceed to bind the connection, application will think that credentials are correct.
  26. 26. ➢ Security Impact Information disclosure Authentication bypass Bypass access controls and gain access to higher privilege accounts LDAP servers often store information such as users, roles, permissions, and related objects provisioned to them.
  27. 27. ➢ Demo
  28. 28. Default value is passed here. |(cn=2F204)(cn=“1FA04”))
  29. 29. |(cn=2F204)(cn=“)”))
  30. 30. These characters need escaping. Hence, they can be used for fuzzing: • Space (' ') • Number sign: # • Double quote: “ • Plus sign: + • Comma: , • Semicolon: ; • Less than and greater than: < > • Backward slash:
  31. 31. |(cn=2F204)(cn=“*”))
  32. 32. Payload: Payload Search Filter * (attribute=*) value)(cn=* (attribute=value)(attribute2=*)
  33. 33. ➢ Remediation for LDAP Injection Strictly validate user input. Allow only alphanumeric strings to be copied into queries, any other input should be rejected. User input containing LDAP metacharacters like ( ) ; , * | & = “ and whitespace should be rejected. Use component like LINQ to Active Directory that automatically escapes user input. Least privilege: Minimize the privileges assigned to the LDAP binding account
  34. 34. ➢ Recommended steps: LDAP Injection: https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso- parada-WP.pdf HackThe Box: Phonebook Challenge:https://app.hackthebox.eu/challenges/phonebook
  35. 35. ➢ Got questions?

×