This document analyzes LDAP injection techniques that can be used to exploit vulnerabilities in web applications that use LDAP directories. It discusses two types of LDAP injection - classic and blind. Classic injection allows attackers to directly execute malicious queries by appending injected code that will be processed by the LDAP server. Blind injection uses a binary approach to infer information from the server response without error messages. The document examines real examples of how attackers can use injected queries to view restricted documents or obtain a full list of users from the LDAP directory. It emphasizes that input validation is needed to prevent both classic and blind LDAP injection attacks.
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
ABSTRACT: The entire field of web based application is controlled by the internet. In every region, World Wide Web is hugely necessary. So, network assurance is badly assuring job for us. Several kind of attacker or application programmer is attempting to split the immunity of information and destroy the instruction composed in the database. The SQL Injection Attack is very large safety measure risk in that present day. The indicated attacks allow to attacker’ s unlimited access from the database or still authority of database those determine web based application. That manages conscious and secret records and put the injurious SQL query put to modify the expected function. Many database reviewer and theorist give distinct concept to avoid regarding SQL Injection Attack. But no one of the concept is completely adaptable to. This research introduces a latest framework to protecting web based application from the SQL Injection Attack. Introduced framework i.e. present in this research is based on two techniques known as SQM (SQL Query Monitor) and Sanitization Application. That is the two ways filter program which analyses the user query and generate a separate key for user before it is sent to the application server. Several aspects of SQL Injection Attack are also discussed in that research.
LINQ
The acronym LINQ stands for Language Integrated Query. Microsoft’s query language is fully integrated and offers easy data access from in-memory objects, databases, XML documents, and many more. It is through a set of extensions, LINQ ably integrates queries in C# and Visual Basic. This tutorial offers a complete insight into LINQ with ample examples and coding. The entire tutorial is divided into various topics with subtopics that a beginner can be able to move gradually to more complex topics of LINQ.
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
ABSTRACT: The entire field of web based application is controlled by the internet. In every region, World Wide Web is hugely necessary. So, network assurance is badly assuring job for us. Several kind of attacker or application programmer is attempting to split the immunity of information and destroy the instruction composed in the database. The SQL Injection Attack is very large safety measure risk in that present day. The indicated attacks allow to attacker’ s unlimited access from the database or still authority of database those determine web based application. That manages conscious and secret records and put the injurious SQL query put to modify the expected function. Many database reviewer and theorist give distinct concept to avoid regarding SQL Injection Attack. But no one of the concept is completely adaptable to. This research introduces a latest framework to protecting web based application from the SQL Injection Attack. Introduced framework i.e. present in this research is based on two techniques known as SQM (SQL Query Monitor) and Sanitization Application. That is the two ways filter program which analyses the user query and generate a separate key for user before it is sent to the application server. Several aspects of SQL Injection Attack are also discussed in that research.
LINQ
The acronym LINQ stands for Language Integrated Query. Microsoft’s query language is fully integrated and offers easy data access from in-memory objects, databases, XML documents, and many more. It is through a set of extensions, LINQ ably integrates queries in C# and Visual Basic. This tutorial offers a complete insight into LINQ with ample examples and coding. The entire tutorial is divided into various topics with subtopics that a beginner can be able to move gradually to more complex topics of LINQ.
The rise of Mobile and the diversity its technologies make exposing a RESTfull API the most crucial capability of any application and the key to its success. In the absence of widely adopted best practices and well-defined conventions, designing such an API is nothing but trivial. This presentation introduces the fundamentals of REST architecture, and discusses the principles of RESTfull design. Among the topics covered: resource modeling (URI design, and HTTP verbs/status code canonical usage), multiple representation support, testing, cache control, security (Http and OAuth), and API versioning. HATEOAS and REST maturity model are also discussed. No prior knowledge REST is required.
A hibernate tutorial for beginners. It describe the hibernate concepts in a lucid manner and and test project(User application with database) to get hands on over the same.
JAX-RS. Developing RESTful APIs with JavaJerry Kurian
The presentation discusses the basic REST principles and how to define a RESTful API.
The presentation then looks at the various facilities provided by JAX-RS for developing REST API using Java.
All the supported annotations and its usage are discussed with example
JavaOne 2010: Building enterprise web applications with spring 3
Spring is an open source, lightweight Java framework that has become the de facto standard of Java enterprise application development. This session will adopt a learn-by-example approach that combines the philosophy and theory behind Spring with concrete code examples. You'll be walked through building a full-featured Spring 3.0 enterprise Web application end to end. The basics of the Spring framework, design patterns, and best practices will be picked up along the way. Topic to be covered topics include: Dependency Injection, Spring MVC, Spring DAO, Spring ORM, Spring AOP, and Spring Security. This session is intended for developers at any level who are interested in writing Spring or Spring MVC Web applications.
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
This research paper is focused on the issue of mobile application malware detection by Reverse Engineering of Android java code and use of Machine Learning algorithms. The malicious software characteristics were identified based on a collected set of total number of 1958 applications (including 996 malware applications). During research a unique set of features was chosen, then three attribute selection algorithms and five classification algorithms (Random Forest, K Nearest Neighbors, SVM, Nave Bayes and Logistic Regression) were examined to choose algorithms that would provide the most effective rate of malware detection.
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
Latch en Linux (Ubuntu): El cerrojo digitalChema Alonso
Artículo de cómo fortifica Linux (Ubuntu) con Latch: El cerrojo digital. El paper ha sido escrito por Bilal Jebari http://www.bilaljebari.tk/index.php/es/blog/5-latch-en-ubuntu
Presentación realizada el 3 de Julio en la que se presentaron los plugins de Latch para OS X, Latch para Windows [Personal/Enterprise] Edition y Latch para Linux. Los plugins están disponibles en: https://latch.elevenpaths.com/www/plugins_sdks.html
X Fórum AUSAPE 2014: Un Decálogo de Seguridad MálignaChema Alonso
Diapositivas de la conferencia impartida en el X Fórum AUSAPE 2014 en Zaragoza, durante el mes de Junio de 2014. El vídeo de la sesión está disponible en el siguiente enlace: https://www.youtube.com/watch?v=jTdmPC9Bpk0
Charla impartida en el Asegur@IT Camp 2 en el año 2010 por Chema Alonso. El vídeo de la presentación está en https://www.youtube.com/watch?v=0KYnnITHLNU y la presentación está basada en el artículo de "Buscadores como armas de destrucción masivas" http://www.elladodelmal.com/2010/03/buscadores-como-arma-de-destruccion.html
The rise of Mobile and the diversity its technologies make exposing a RESTfull API the most crucial capability of any application and the key to its success. In the absence of widely adopted best practices and well-defined conventions, designing such an API is nothing but trivial. This presentation introduces the fundamentals of REST architecture, and discusses the principles of RESTfull design. Among the topics covered: resource modeling (URI design, and HTTP verbs/status code canonical usage), multiple representation support, testing, cache control, security (Http and OAuth), and API versioning. HATEOAS and REST maturity model are also discussed. No prior knowledge REST is required.
A hibernate tutorial for beginners. It describe the hibernate concepts in a lucid manner and and test project(User application with database) to get hands on over the same.
JAX-RS. Developing RESTful APIs with JavaJerry Kurian
The presentation discusses the basic REST principles and how to define a RESTful API.
The presentation then looks at the various facilities provided by JAX-RS for developing REST API using Java.
All the supported annotations and its usage are discussed with example
JavaOne 2010: Building enterprise web applications with spring 3
Spring is an open source, lightweight Java framework that has become the de facto standard of Java enterprise application development. This session will adopt a learn-by-example approach that combines the philosophy and theory behind Spring with concrete code examples. You'll be walked through building a full-featured Spring 3.0 enterprise Web application end to end. The basics of the Spring framework, design patterns, and best practices will be picked up along the way. Topic to be covered topics include: Dependency Injection, Spring MVC, Spring DAO, Spring ORM, Spring AOP, and Spring Security. This session is intended for developers at any level who are interested in writing Spring or Spring MVC Web applications.
MALWARE DETECTION USING MACHINE LEARNING ALGORITHMS AND REVERSE ENGINEERING O...IJNSA Journal
This research paper is focused on the issue of mobile application malware detection by Reverse Engineering of Android java code and use of Machine Learning algorithms. The malicious software characteristics were identified based on a collected set of total number of 1958 applications (including 996 malware applications). During research a unique set of features was chosen, then three attribute selection algorithms and five classification algorithms (Random Forest, K Nearest Neighbors, SVM, Nave Bayes and Logistic Regression) were examined to choose algorithms that would provide the most effective rate of malware detection.
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
Latch en Linux (Ubuntu): El cerrojo digitalChema Alonso
Artículo de cómo fortifica Linux (Ubuntu) con Latch: El cerrojo digital. El paper ha sido escrito por Bilal Jebari http://www.bilaljebari.tk/index.php/es/blog/5-latch-en-ubuntu
Presentación realizada el 3 de Julio en la que se presentaron los plugins de Latch para OS X, Latch para Windows [Personal/Enterprise] Edition y Latch para Linux. Los plugins están disponibles en: https://latch.elevenpaths.com/www/plugins_sdks.html
X Fórum AUSAPE 2014: Un Decálogo de Seguridad MálignaChema Alonso
Diapositivas de la conferencia impartida en el X Fórum AUSAPE 2014 en Zaragoza, durante el mes de Junio de 2014. El vídeo de la sesión está disponible en el siguiente enlace: https://www.youtube.com/watch?v=jTdmPC9Bpk0
Charla impartida en el Asegur@IT Camp 2 en el año 2010 por Chema Alonso. El vídeo de la presentación está en https://www.youtube.com/watch?v=0KYnnITHLNU y la presentación está basada en el artículo de "Buscadores como armas de destrucción masivas" http://www.elladodelmal.com/2010/03/buscadores-como-arma-de-destruccion.html
RootedCON 2014: Playing and Hacking with Digital LatchesChema Alonso
Talk about Latch (https://latch.elevenpaths.com) delivered by Chema Alonso in RootedCON 2014. Charla sobre Latch (https://latch.elevenpaths.com) y los distintos escenarios de uso de la tecnología realizada durante la RootedCON 2014
Configurar y utilizar Latch en MagentoChema Alonso
Tutorial realizado por Joc sobre cómo instalar y configurar Latch en el framework Magento. El plugin puede descargarse desde https://github.com/jochhop/magento-latch y tienes un vídeo descriptivo de su uso en http://www.elladodelmal.com/2015/10/configurar-y-utilizar-latch-en-magento.html
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
Technicall report created by Gartner analyst in which they explore Telefonica & Eleven Paths technologies to provide Authentication & Authorization as a Service. In it they analyse Mobile Connect, Latch, SealSign and SmartID
Talk delivered by Chema Alonso in CyberCamp ES 2014 about Shuabang Botnet discoverd by Eleven Paths. http://www.slideshare.net/elevenpaths/shuabang-with-new-techniques-in-google-play
La labor de gestionar la seguridad de una empresa suele ser como bailar sobre el alambre. Hay que permitir que el negocio siga funcionando, estar a la última, proteger lo ya implantado e innovar en cosas nuevas. Eso sí, de forma más eficiente cada año y con menos presupuesto. Todo ello, con el objetivo de no que no pase nada. La conclusión de esto es que al final siempre queda Long Hanging Fruit para que cualquiera se aproveche.
Artículo sobre el X Forum AUSAPE 2014 en el que Chema Alonso fue ponente. Además artículo en sección firma invitada sobre "Problem Between Chair & Keyboard". El vídeo de la conferencia está disponible en la siguiente URL:
https://www.youtube.com/watch?v=jTdmPC9Bpk0
Los alumnos de algunos grados y postgrados de la Universidad Internacional de La Rioja UNIR pueden utilizar Latch. Aquí hay una guía de uso de Latch en UNIR.
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...Chema Alonso
Artículo presentado en el RECSI 2010 sobre cómo modelar las amenazas en el contexto de la indexación de documentos por parte de los buscadores de Internet.
La mayoría de la gente tiene una buena concepción del hardware de Apple. En este artículo, José Antonio Rodriguez García intenta desmontar algunos mitos.
Curso Online de Especialización en Seguridad Informática para la CiberdefensaChema Alonso
Orientado a:
- Responsables de seguridad.
- Cuerpos y fuerzas de seguridad del estado.
- Agencias militares.
- Ingenieros de sistemas o similar.
- Estudiantes de tecnologías de la información.
Impartición: online vía WebEx
Duración: 40 horas
Formato: 7 módulos con 20 lecciones de dos horas cada una
Fecha: del 20 de Octubre al 24 de Noviembre de 2014 (10 Noviembre no lectivo)
Días-Horas: Lunes, Martes, Miércoles y Jueves de 16:00 a 18:00 horas (España)
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataChema Alonso
Charla de 20 minutos sobre cómo los entornos de Big Data pueden utilizar detalles de huellas digitales de las conexiones para poder seguir los usuarios más allá de los entornos en los que está identificado con su usuario.
LDAP Services are a key component
in companies. The information stored in them
is used for corporate applications. If one of these
applications accepts input from a client and
execute it without first validating it, attackers h
ave the potential to execute their own
queries and thereby extract sensitive information f
rom the LDAP directory. In this paper a
deep analysis of the LDAP injection techniques is p
resented including Blind attacks
10h 35m remaining CHAPTER 12 Common Software VulnerabiliBenitoSumpter862
10h 35m remaining
CHAPTER 12
Common Software Vulnerabilities and
Countermeasures
In this chapter you will
• Learn about common known software vulnerabilities and mitigations
• Explore the SANS top 25 list of vulnerabilities
• Examine the OWASP list of web application vulnerabilities
• Examine the concepts of enumerated weaknesses (CWE) and vulnerabilities (CVE)
The errors associated with software fall into a series of categories. Understanding
the common categories of vulnerabilities and learning how to avoid these known
vulnerabilities have been proven to be among the more powerful tools a
development team can use in developing more secure code. While attacking the
common causes will not remove all vulnerabilities, it will go a long way toward
improving the code base. This chapter will examine the most common
enumerations associated with vulnerabilities and programming errors.
CWE/SANS Top 25 Vulnerability Categories
Begun by MITRE and supported by the U.S. Department of Homeland Security,
the CWE/SANS Top 25 list is the result of collaboration between many top
software security experts worldwide. This list represents the most widespread
and critical errors that can lead to serious vulnerabilities in software. They are
often easy to find, and easy to exploit. Left unmitigated, they are easy targets for
attackers and can result in widespread damage to software, data, and even
enterprise security.
The Top 25 list can be used in many ways. It is useful as a tool for development
teams to provide education and awareness about the kinds of vulnerabilities that
plague the software industry. The list can be used in software procurement as a
specification of elements that need to be mitigated in purchased software.
Although the list has not been updated since 2011, it is still highly relevant. One
could argue over the relative position on the list, but at the end of the day, all the
common vulnerabilities that can be exploited need to be fixed.
The Top 25 list can serve many roles in the secure development process. For
programmers, the list can be used as a checklist of reminders, as a source for a
custom “Top N” list that incorporates internal historical data. The data can also be
used to create a master list of mitigations, which when applied, will reduce
occurrence and severity of the vulnerabilities. Testers can use the list to build a
test suite that can be used to ensure that the issues identified are tested for before
shipping.
OWASP Top 10’2013 (Current)
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function-Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
OWASP Vulnerability Categories
The Open Web Appli ...
10h 35m remaining CHAPTER 12 Common Software VulnerabiliSantosConleyha
10h 35m remaining
CHAPTER 12
Common Software Vulnerabilities and
Countermeasures
In this chapter you will
• Learn about common known software vulnerabilities and mitigations
• Explore the SANS top 25 list of vulnerabilities
• Examine the OWASP list of web application vulnerabilities
• Examine the concepts of enumerated weaknesses (CWE) and vulnerabilities (CVE)
The errors associated with software fall into a series of categories. Understanding
the common categories of vulnerabilities and learning how to avoid these known
vulnerabilities have been proven to be among the more powerful tools a
development team can use in developing more secure code. While attacking the
common causes will not remove all vulnerabilities, it will go a long way toward
improving the code base. This chapter will examine the most common
enumerations associated with vulnerabilities and programming errors.
CWE/SANS Top 25 Vulnerability Categories
Begun by MITRE and supported by the U.S. Department of Homeland Security,
the CWE/SANS Top 25 list is the result of collaboration between many top
software security experts worldwide. This list represents the most widespread
and critical errors that can lead to serious vulnerabilities in software. They are
often easy to find, and easy to exploit. Left unmitigated, they are easy targets for
attackers and can result in widespread damage to software, data, and even
enterprise security.
The Top 25 list can be used in many ways. It is useful as a tool for development
teams to provide education and awareness about the kinds of vulnerabilities that
plague the software industry. The list can be used in software procurement as a
specification of elements that need to be mitigated in purchased software.
Although the list has not been updated since 2011, it is still highly relevant. One
could argue over the relative position on the list, but at the end of the day, all the
common vulnerabilities that can be exploited need to be fixed.
The Top 25 list can serve many roles in the secure development process. For
programmers, the list can be used as a checklist of reminders, as a source for a
custom “Top N” list that incorporates internal historical data. The data can also be
used to create a master list of mitigations, which when applied, will reduce
occurrence and severity of the vulnerabilities. Testers can use the list to build a
test suite that can be used to ensure that the issues identified are tested for before
shipping.
OWASP Top 10’2013 (Current)
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function-Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
OWASP Vulnerability Categories
The Open Web Appli ...
We have evolved an IT system that is ubiquitous and pervasive and integrated into most aspects of our lives. Many of us are working on 4th and 5th level refinements in efficiency and functionality. But, we stand on the shoulders of those who came before and this restricts our freedom of action. The prior work has left us with an ecosystem which is the living embodiment
of our state-of-the-art. While we work on integration, refinement, broader application and efficiency, the results must move seamlessly into the ecosystem. Fundamental concepts are
being researched in the lab and may rebuild the world we all live in, until that happens, we must work within the ecosystem.
Railsplitter is a framework which significantly reduces development cost to expose a hierarchical data model as a production quality Create, Read, Update, and Delete (CRUD) web service. Railsplitter adopts JSON API [10] as the standard for the service definition given its focus on consumption by front-end developers. Inherent in the design of JSON API are capabilities that reduce the number of round trips from client to server to fetch or update data. Updates on disparate models can happen in a single request allowing the server to build atomicity guarantees. Rather than starting from scratch with a domain-specific language (DSL) to describe a data model, Railsplitter adopts Java Persistence API (JPA) [6] - a modeling definition that is rich and has a long tenure of proven provider implementations. Unlike other approaches, Railsplitter addresses the fundamental needs of flexible, model driven authorization, interoperability with client side applications, and test automation.
Implementing Active Directory and Information Security Audit also VAPT in Fin...KajolPatel17
The presence of an information security audit increases the probability of adopting major security measures and preventing these attacks or lowering the cyber world attacks.
VAPT includes auditing the system for finding vulnerabilities, which may be exist on the system; exploit that vulnerability same as an attacker perspective and produce data which representing the system level risk.
A source code security audit is a powerful methodology for locating and removing security vulnerabilities.
An audit can be used to (1) pass potentially prioritized list of vulnerabilities to developers (2) exploit
vulnerabilities or (3) provide proof-of-concepts for potential vulnerabilities. The security audit research
currently remains disjoint with minor discussion of methodologies utilized in the field. This paper
assembles a broad array of literature to promote standardizing source code security audits techniques. It,
then, explores a case study using the aforementioned techniques.
The case study analyzes the security for a stable version of the Apache Traffic Server (ATS). The study
takes a white to gray hat point of view as it reports vulnerabilities located by two popular proprietary tools,
examines and connects potential vulnerabilities with a standard community-driven taxonomy, and
describes consequences for exploiting the vulnerabilities. A review of other security-driven case studies
concludes this research.
The purpose of this paper two fold. First and foremost it presents a background narrative on the origins, innovations and applications of novel structural automation technologies and the rarity of experts involved in research, development and practice of this field. The second part of this paper presents a rudimentary framework for a solution addressing this paucity – the creation of an interdisciplinary academic program at PAAET that will be the first ever in the region to address applied information communication technologies ICT in the design, planning, engineering and management of structural automation projects. In doing so, we need also to define the level of implementation. This field, as all fields in ICT, have been loosely defined and most applications carry less weight in its implementation than what should be applied. This paper gives an attempt to define an indexing scheme by which we can easily classify such implementation and generate a ranking by which we can safely define its level of ―Intelligence‖.International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Machine and deep learning techniques for detecting internet protocol version ...IJECEIAES
The rapid development of information and communication technologies has increased the demand for internet-facing devices that require publicly accessible internet protocol (IP) addresses, resulting in the depletion of internet protocol version 4 (IPv4) address space. As a result, internet protocol version 6 (IPv6) was designed to address this issue. However, IPv6 is still not widely used because of security concerns. An intrusion detection system (IDS) is one example of a security mechanism used to secure networks. Lately, the use of machine learning (ML) or deep learning (DL) detection models in IDSs is gaining popularity due to their ability to detect threats on IPv6 networks accurately. However, there is an apparent lack of studies that review ML and DL in IDS. Even the existing reviews of ML and DL fail to compare those techniques. Thus, this paper comprehensively elucidates ML and DL techniques and IPv6-based distributed denial of service (DDoS) attacks. Additionally, this paper includes a qualitative comparison with other related works. Moreover, this work also thoroughly reviews the existing ML and DL-based IDSs for detecting IPv6 and IPv4 attacks. Lastly, researchers could use this review as a guide in the future to improve their work on DL and ML-based IDS.
An approach for slow distributed denial of service attack detection and allev...nooriasukmaningtyas
Over the last few years, the need for programmable networks has captured the interest of industrialists and academicians. It has led to the development of a paradigm called software defined network (SDN). It separates the network intelligence into the control plane and forwarding logic into the data plane. This architecture gives scope to various security issues of which denial of service (DoS) is the most common and challenging to detect. This paper focuses on the detection and mitigation of a slow DoS attack called Slowloris on Apache2 server in SDN based networks. The proposed solution is called Slowloris detection and mitigation mechanism (SDMM). Mininet, an emulator, and SimpleHTTPServer are used for simulation and the same is implemented using Zodiac FX OpenFlow switch, Ryu controller and Apache2 server. SDMM algorithm detects and mitigates prolonged Slowloris attack in typical networks as well as in slow networks with low bandwidth and high delay in 240-280s with an accuracy of 100% and 98% respectively. It uses expectation of burst size as a key factor for detection.
FIRECOL: A COLLABORATIVE PROTECTION NETWORK FOR THE DETECTION OF FLOODING DDO...Deenuji Loganathan
Distributed denial-of-service (DDoS) attacks remain a major security problem, the mitigation of which is very hard especially when it comes to highly distributed botnet-based attacks. The early discovery of these attacks, although challenging, is necessary to protect end-users as well as the expensive network infrastructure resources. In this paper, we address the problem of DDoS attacks and present the theoretical foundation, architecture, and algorithms of FireCol. The core of FireCol is composed of intrusion prevention systems (IPSs) located at the Internet service providers (ISPs) level. The IPSs form virtual protection rings around the hosts to defend and collaborate by exchanging selected traffic information. The evaluation of FireCol using extensive simulations and a real dataset is presented, showing FireCol effectiveness and low overhead, as well as its support for incremental deployment in real networks.
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.
CritoReto 4: Buscando una aguja en un pajarChema Alonso
Los últimos meses la contrainteligencia británica ha avanzado a pasos agigantados en la localización de agentes rusos activos en suelo inglés. Los avances en criptoanálisis, del ahora ascendido Capitán Torregrosa, han permitido localizar el punto central de trabajo de los agentes rusos. Después de días vigilando “Royal China Club”, no se observa ningún movimiento, da la sensación que no es un lugar de encuentro habitual, aunque según las informaciones recopiladas los datos más sensibles de los operativos rusos se encuentran en esa localización. Por este motivo, se decide entrar en el club y copiar toda la información para analizarla. Entre las cosas más curiosas encontradas, se observa un póster en la pared con una imagen algo rara y una especie de crucigrama, así como un texto impreso en una mesa. Ningún aparato electrónico excepcional ni nada aparentemente cifrado. ¿Podrá la inteligencia británica dar por fin con los agentes rusos? El tiempo corre en su contra…
Talk delivered by Chema Alonso at RootedCON Satellite (Saturday 12th of September 2015) about how to do hacking & pentesting using dorks over Tacyt, a Big Data of Android Apps
Pentesting con PowerShell: Libro de 0xWordChema Alonso
Índice del libro "Pentesting con PowerShell" de 0xWord.com. Tienes más información y puedes adquirirlo en la siguiente URL: http://0xword.com/es/libros/69-pentesting-con-powershell.html
Recuperar dispositivos de sonido en Windows Vista y Windows 7Chema Alonso
Artículo de Windows Técnico que muestra cómo recuperar dispositivos de sonido en Windows Vista y Windows 7 cuando estos desaparecen. Más información en http://www.elladodelmal.com
Charla impartida por Chema Alonso en el congreso Internet 3.0 el 24 de Abril de 2015 en Alicante sobre cómo la gente que cree en las soluciones mágicas y gratuitas acaba siendo estafada o víctima de fraude. Todas las partes de la presentación llevan sus enlaces a los artículos correspondientes para ampliar información.
Conferencia impartida por Chema Alonso en el Primer Congreso Europeo de Ingenieros Informático realizado en Madrid el 20 de Abril de 2015 dentro de las actividades de la Semana de la Informática 2015. El vídeo de la conferencia está en la siguiente URL: https://www.youtube.com/watch?v=m6WPZmx7WoI
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Chema Alonso
Cuarta Edición del Curso Online de Especialización en Seguridad
Informática para la Ciberdefensa
Del 4 de mayo al 4 de junio de 2015
Orientado a:
- Responsables de seguridad.
- Cuerpos y fuerzas de seguridad del Estado.
- Agencias militares.
- Ingenieros de sistemas o similar.
- Estudiantes de tecnologías de la información
Índice de contenidos del libro "Hacking con Python" escrito por Daniel Echevarri y publicado por 0xWord. Más información en: http://0xword.com/es/libros/67-hacking-con-python.html
Tu iPhone es tan (in)seguro como tu WindowsChema Alonso
Charla dada por Chema Alonso en Five Talks sobre cómo funciona la seguridad de iPhone. Más información y detalles en el libro Hacking iOS {iPhone & iPad} http://0xword.com/es/libros/39-libro-hacking-dispositivos-ios-iphone-ipad.html
Codemotion ES 2014: Love Always Takes Care & HumilityChema Alonso
Talk delivered by Chema Alonso in Codemotion 2014 ES {Madrid}. It is about passwords, second factor authentication and Second Factor Authorization using Latch... with a Breaking Bad touch.
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Chema Alonso
Traducción de la tesis de Sam DeFabbia-Kane en el año 2011. Una tesis entregada a la facultad de la Universidad Wesleyana como cumplimiento parcial de los requerimientos para el Diploma de Bachiller de Artes con Honores Departamentales en Ciencias de la Computación
Presentación impartida por Chema Alonso en las Navajas Negras 4 Edición (año 2014) sobre la indexación de contenido en los buscadores y cómo aprovecharlo para hacer auditorías de seguridad y hacking
Conferencia impartida en el Asegúr@IT Camp 2, en el año 2010, por Chema Alonso sobre cómo se pueden indexar XSS Reflejados para convertirlos en XSS Google Persistentes. El vídeo de la conferencia está en la siguiente URL: https://www.youtube.com/watch?v=0KYnnITHLNU
Código para Latch físico: Touch_calibrate.pyChema Alonso
Código en Python para el hack de controlar un cerrojo con un Latch y una conexión en Raspbery Pi. Más información aquí: http://blogthinkbig.com/latch-cerrojo/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
LDAP Injection Techniques
1. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1
LDAP Injection Techniques
Jose Mar´ıa Alonso, Rodolfo Bord´on, Marta Beltr´an and Antonio Guzm´an
Abstract—The increase in the number of databases accessed only by
some applications has made code injection attacks an important threat
to almost any current system. If one of these applications accepts inputs
from a client and executes these inputs without first validating them,
the attackers are free to execute their own queries and therefore, to
extract, modify or delete the content of the database associated to the
application. Several works have analyzed SQL injection attacks and their
consequences. However, there is very little work in other code injection
techniques attacking other languages or protocols. In this paper a deep
analysis of the LDAP injection techniques is presented. Furthermore, a
clear distinction between classic and blind injection techniques is made.
Finally, a real LDAP environment has been implemented to evaluate
the security of applications based on LDAP and to exemplify the most
common vulnerabilities and their possible consequences.
Index Terms—Web applications security, code injection techniques,
LDAP.
I. INTRODUCTION
The amount of data stored in organizational databases has increased
very fast in last years due to the rapid advancement of information
technologies. And a lot of these data is sensitive, private and critical
to the organizations, their clients and partners.
Therefore, the databases are usually installed behind internal
firewalls, protected with intrusion detection mechanisms and accessed
only by some application programs. To access a database, users have
to connect to one of these applications and to submit queries trough
them to the database. Then, the threat to databases arises when these
application programs do not behave properly and send these queries
without validating user inputs first.
In fact, over a 50% web applications vulnerabilities are input
validation vulnerabilities ([1]) which allow the exploitation of code
injection techniques.
These attacks have proliferated in recent years causing severe
damages in several systems and applications. The SQL injection
techniques are the most widely used and studied ([2], [3], [4], [5])
but there are other injection techniques associated to other languages
or protocols such as XPath ([6], [7]) or LDAP ([8], [9]).
The only hope in preventing the consequences of this kind of
attacks lies in studying the different code injection possibilities and
in making them public and well known for all the programmers and
administrators ([10], [11], [12]).
In this paper the LDAP injection techniques are analyzed in
depth, because all the web applications based on LDAP trees can
be vulnerable to this kind of attacks. The key to exploit injection
techniques with LDAP is to concatenate attack filters to the filters
used to search in the directory services.
Using these techniques, an attacker may obtain direct access to
the hierarchical database underlying an LDAP tree, and therefore to
important information of the corporative network. And this can be
even more critical because the security of many applications and
services are based on LDAP directories in current single sign-on
Jose Mar´ıa Alonso and Rodolfo Bord´on are with Informatica64,
c/Juan Ramon Jimenez 8, 28933 M´ostoles, Madrid, Spain. Email:
chema@Informatica64.com,rodol@Informatica64.com
Marta Beltr´an and Antonio Guzm´an are with the Computing
Department, Universidad Rey Juan Carlos, Edificio Departamental
II, Campus de M´ostoles, 28933 M´ostoles, Madrid, Spain. E-mail:
marta.beltran@urjc.es,antonio.guzman@urjc.es
environments ([13], [14]). Although the vulnerabilities that lead to
these consequences are easy to understand and to solve, they persist
due to the lack of information about these attacks and their effects.
The main contributions of this paper are a first study of the LDAP
vulnerabilities and a deep analysis of the injection techniques which
can be used to exploit these vulnerabilities. Furthermore, a real
environment has been implemented to perform different experiments
in typical LDAP scenarios and to evaluate the possible danger of this
kind of attacks.
It is important to note that the use of filters to limit the information
that is showed to a client sending an LDAP search to the server
does not increase the security of the applications, because these
filters does not prevent the use of blind code injection techniques,
capable of exploiting injection techniques without having detailed
error messages from the server. Therefore, both, the classic and the
blind code injection techniques will be studied in depth in this paper.
This paper is organized as follows. Section 2 gives an LDAP
protocol overview necessary to understand the concepts used in the
rest of the paper. Section 3 presents the typical LDAP environment
where the LDAP injection attacks reported in Section 4 usually take
place. Section 5 summarizes the most important results obtained using
these injection techniques to exploit the reported vulnerabilities in
the typical environments. Based on these results, solutions for the
LDAP injection vulnerabilities are proposed in Section 6. And, finally,
Section 7 presents conclusions and future work.
II. LDAP OVERVIEW
Directories are hierarchical databases designed to store and to
organize information sharing certain common attributes:
• The information structure: a tree of directory entries.
• Powerful browsing and search capabilities
Therefore, a directory is a database specialized in searches instead
in updates and in processing specific queries instead in results listing.
Furthermore, a directory tolerates temporal inconsistencies between
its copies.
A directory service is a software application implemented to access
the directories information. It usually allows data replication and
distribution and acts as an abstraction layer between users and shared
resources.
The Lightweight Directory Access Protocol is a protocol for
querying and modifying directory services running over TCP/IP ([15],
[16]). It allows quick and efficient searches and updates of this kind
of services. The most widely used implementation of this protocol are
ADAM (Active Directory Application Mode, [17]) and OpenLDAP
([18]).
LDAP is object-oriented, therefore, every entry in a LDAP tree is
an instance of an object and must correspond to the rules fixed for
the attributes of that object.
LDAP is also based on the client/server model, therefore, clients
send operation requests to the server and the server responses with
the directory information. The most frequent operation request is to
search for directory entries, and to response these requests the server
has to test if an entry of the LDAP tree contains a given attribute
value. This test is performed using the LDAP filters defined in the
RFC 4515.
2. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 2
The structure of these filters can be summarized with:
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = | filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = ”=” /” =”/ ”¿=” / ”¡=”
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
It can be seen that all the filters must be in brackets, and that
only a reduced set of logical (AND, OR and NOT) and relational
(≤, ≥, =, ) operators is available to construct them. In addition,
one special character, the asterisk, can be used to replace one or
more characters in the construction of the filters.
III. TYPICAL LDAP ENVIRONMENT
LDAP services are a key component for the daily operation
of many companies and institutions. Directory Services such as
Microsoft Active Directory, Novell E-Directory or RedHat Directory
Services are based on the LDAP protocol ([19]). But there are other
application and services taking advantage of the LDAP services.
These applications and services required in the past different
directories (with different user names and passwords) to work. For
example, a directory was required for the domain, a separate directory
for mailboxes and distribution lists, and more directories for remote
access, databases or web applications.
But new directories based on LDAP services are multi-purpose,
working as centralized information repositories for users authentica-
tion and enabling single sign-on environments.
This new scenario increases the productivity by reducing the
administration complexity and by improving security and fault toler-
ance. In practically all the environments, the applications based on
LDAP services use the directory with one of these purposes:
• Access control (user/password pair verification, users certificates
management).
• Privileges management.
• Resources management.
Due to the importance of the LDAP services for the corporative
networks, the LDAP servers are usually placed in the backend with
the rest of database servers.
IV. LDAP INJECTION
The LDAP injection attacks are based on the same techniques that
the SQL injection attacks.
The underlying concept is to take advantage of the parameters
introduced by the client to generate the LDAP query. A secure
application should filter these inputs before constructing the query
sent to the server. But in a vulnerable environment these parameters
are not filtered and the attacker can inject his code to change the
results obtained with the query.
Taking into consideration the structure of the LDAP filters ex-
plained in section II and the implementations of the most widely
used LDAP implementations, ADAM and OpenLDAP, the following
conclusions can be drawn about the code injection:
• ((normal query)(code injection)): If the filter used to construct
the query has this structure, the code injection has no results be-
cause the server only processes the first complete filter structure,
in this case, the normal query.
• (|(normal query)(code injection)): In this case, the code in-
jected at the right of the normal query is processed if the filter
sintaxis is correct, due to the | operator at the beginning of
the query. The OR logic operation is performed between the
results of the normal query and the results obtained with the
code injection if the application does not filter the parameters
introduced by the user.
• (&(normal query)(code injection)): In this last case, the code
injected at the right is processed again if the filter sintaxis is
correct, now due to the & operator at the beginning of the query.
The AND logic operation is performed between the results of
the normal query and the results obtained with the code injection
if the application does not filter the parameters introduced by
the user.
Therefore, only when the parameters introduced by the user are not
filtered and when the normal queries begin with a logical operator |
or &, code injection attacks can be performed.
In these cases, two kinds of injection can be generated depending
on the LDAP environment: classic code injection or blind code
injection.
A. Classic Code Injection
The typical test to know if an application is vulnerable to code
injection consists of sending to the server a query that generates an
invalid input. Therefore, if the server returns any error message, it is
clear for the attacker that the server has executed his query and that
he can exploit the code injection techniques to extract the information
he wants.
In the case of LDAP injection, two kinds of environments can be
distinguished:
• AND LDAP Injection: In this case the application constructs
the normal query to search in the LDAP tree with the & operator
and one or more parameters introduced by the user.
For example:
(& (parameter1=value1)(parameter2=value2))
Where value1 and value2 are the client’s inputs used to per-
form the search in the hierarchical database. The attacker can
inject code to the normal query using the client input value1,
maintaining a correct filter construction but using the query to
achieve his own objectives.
For example, suppose that this query lists all the documents
visible for the users with a low security level:
(& (directory=documents)(security level=low))
Where documents is the value given for the first client input and
low is the value given for the second. But if the attacker wants
to list all the documents visible for the high security level, he
can use a code injection technique:
(& (directory=documents)(security level=high))(&
(directory=documents)(security level=low))
Examining this query, the following structure has been injected
in the original query using the first client input value:
valu1= documents)(security level=high))(&
(directory=documents
LDAP only processes the first complete filter structure, then,
only the following query is processed:
(& (directory=documents)(security level=high))
3. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 3
, while (& (directory=documents)(security level=low)) is ig-
nored. But the attacker has injected all the code necessary to
maintain the correct sintaxis in the LDAP query.
As a result, a list with all the documents available for the users
with high security level is displayed for the attacker although
he has not privileges to see them.
• OR LDAP Injection: In this case the application constructs the
normal query to search in the LDAP tree with the | operator and
one or more parameters introduced by the user. For example:
(| (parameter1=value1)(parameter2=value2))
Where value1 and value2 are the client’s inputs used to perform
the search in the hierarchical database. Again the attacker can
inject his own query in the server using the first client input.
For example, suppose that this query wants to find a user whose
name is John Smith, but the client does not know if the user has
been registered with his name or with his surname:
(| (uid=John)(uid=Smith))
Following with the example, if the attacker wants to know the
name of all the users in the tree, he could inject code in the first
parameter to construct the following query:
(| (uid=void)(uid=*))(|(uid=*)(uid=Smith))
Examining this query, void)(uid=*))(| (uid=* and Smith are
the client’s inputs. The LDAP server only processes the first
complete filter structure, then, only this query is processed:
(| (uid=void)(uid=*))
, while (|(uid=*)(uid=Smith) is ignored. But the attacker has
injected all the code necessary to maintain the correct sintaxis
in the LDAP query.
As a result, a list with all the users would be displayed, because
the first part of the processed filter is always a logical ’0’ (the
value of void) and the second uses the asterisk operator to
replace all the uid characters.
B. Blind Code Injection
One extended solution to solve the code injection vulnerabilities is
to avoid the server to show error messages when it executes invalid
queries. But this kind of filtering only prevents the classic code
injection techniques explained in the previous section.
A secure application should reject any query with injected code
because it should filter the client’s input parameters. But a fortified
application does not perform this filtering, it only filters the error
messages produced by the server when it executes invalid injected
code. Therefore, suppressing the error messages is not enough to
avoid all the injection techniques, only the classic injection.
Suppose that an attacker can infer from the server response,
although it does not show error messages, if the code injected in
the query generates a valid response (true result) or an error (false
result). Then, the attacker could use this behavior to ask the server
true or false questions.
This kind of injection is a more tedious method than the classic
one but it can be easily automatized (it is based on a very simple
binary logic) and allows to extract the same information.
• AND Blind LDAP Injection: Suppose a query to list all the
Epson printers available in a shop in a system where LDAP
message errors are filtered:
(& (objectClass=printer)(type=Epson*))
With this query, if there is some Epson printer available, a printer
icon is shown to the client, else, no icon is shown.
If the attacker wants to use a blind LDAP injection technique,
he can inject code to construct the following query:
(& (objectClass=*)(objectClass=*))(&
(objectClass=void)(type=Epson*))
Examining this query, the *)(objectClass=*))(& (object-
Class=void structure has been injected in the original query.
LDAP only processes the first complete filter structure, then,
only the query (& (objectClass=*)(objectClass=*)) is pro-
cessed. As a result, the printer icon must be shown to the
client, because this query always obtains results: the filter
objectClass=* always returns some object (true result).
From this point, it is easy to use blind injection techniques. The
following injections can be constructed:
(& (objectClass=*)(objectClass=users))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=logins))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=passwd))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=resources))(&
(objectClass=foo)(type=Epson*))
This set of queries allows the attacker to infer the different
objectClass values possible in the LDAP tree. When a query
returns the printer icon, the objectClass exists (true results),
and when the query does not obtain the icon as a result, the
objectClass does not exist in the tree (false results).
But there is a more efficient way to ask to the LDAP server
using an alphabetic search:
(& (objectClass=*)(objectClass=a*))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=b*))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=c*))(&
(objectClass=foo)(type=Epson*))
.....
(& (objectClass=*)(objectClass=z*))(&
(objectClass=foo)(type=Epson*))
With these queries, the first characters of the different object-
Class values are found. Then, the attacker can continue with
the second characters, with the third, etc to find the complete
objectClass values names. For example:
(& (objectClass=*)(objectClass=aa*))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=ab*))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=*)(objectClass=ac*))(&
(objectClass=foo)(type=Epson*))
This mechanism is one kind of booleanization (based on true and
false questions) and it is usually called character displaying. It
is summarized in figure 1 and can be applied in many different
ways. For example, once the attacker knows that users is a valid
objectClass for the LDAP tree, he can infer all the users names:
(& (objectClass=users)(objectClass=a*))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=users)(objectClass=b*))(&
(objectClass=foo)(type=Epson*))
(& (objectClass=users)(objectClass=c*))(&
(objectClass=foo)(type=Epson*))
And so on. Therefore, even when the error messages from the
LDAP server are filtered, the attacker can extract information
from the LDAP tres using blind injection techniques.
4. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 4
Fig. 1. Blind LDAP injection booleanization mechanism: character displaying
Fig. 2. Login page with a LDAP injection vulnerability
• OR LDAP Injection: In this case, the logic used to infer the
desired information is the opposite, due to the presence of the
OR operator. Following with the Epson printers example, the
injection in an OR environment should be:
(| (objectClass=void)(objectClass=void))(&
(objectClass=void)(type=Epson*))
This query obtains a false result from the LDAP server, there-
fore, the printer icon is not shown to the client. And any result
different from this would be the true result.
The queries constructed to extract the LDAP tree information
are the following:
(| (objectClass=void)(objectClass=users))(&
(objectClass=void)(type=Epson*))
(| (objectClass=void)(objectClass=passwd))(&
(objectClass=void)(type=Epson*))
(| (objectClass=void)(objectClass=resources))(&
(objectClass=void)(type=Epson*))
And the techniques explained in the AND environment using
the character displaying mechanism (with the asterisk operator)
can be used again to extract all the LDAP tree information.
V. EXPLOITATION EXAMPLES
In this section, a real LDAP environment has been implemented to
exemplify the use of the injection techniques explained in the previ-
ous section. And even more, the possible effects of the exploitation
of these vulnerabilities are presented to show the important impact
of these attacks in systems security.
A. Classic Injection Techniques
1) Example 1 - Avoiding Access Control: A login page has two
text box fields for entering user name and password (figure 2). Let
Uname and Pwd represent the strings contained in text boxes,
therefore, the two client inputs.
To verify the existence of the user/password pair supplied by a
client, a LDAP query is constructed and sent to the LDAP server:
Fig. 3. Home page shown to the attacker after avoiding the access control
(& (USER=Uname)(PASSWORD=Pwd))
This is an AND LDAP injection case, therefore, if an attacker
enters a valid user name, for example, slisberger, and injects the
appropriate sequence following this name, the password supplying
can be avoided.
Making Uname=slisberger)(&)) and introducing some string, no
matter what, as the Pwd value, the following query is constructed
and sent to the server:
(& (USER=slisberger)(&))(PASSWORD=Pwd))
Only the first complete filter structure is processed by the LDAP
server, then, only the query (& (USER=slisberger)(&)) is processed.
And this query is always true, so the attacker gains the access to the
system without having a valid password (3).
2) Example 2 - Avoiding Privileges Management: In this example,
an attacker with low security level avoids the system privileges
management gaining access to documents only available for users
with high privileges. To perform this attack, the environment is again
an AND LDAP injection case (figure 4), because the normal query
used to obtain the documents available for a certain user is:
(& (path=Documents)(level=LVL))
Where LV L denotes the privileges of the user. If the attacker has
low level privileges, the query is:
(& (path=Documents)(level=low))
But injecting the sequence Documents)(level=high)) as the value
of the path field, a user with low level privileges will have access to
the high level documents, because the following query is constructed:
(& (path=Documents)(level=high))(level=low))
Only the first complete filter is processed by the LDAP server,
therefore, the obtained result is the one shown in figure 5.
3) Example 3 - Avoiding Resources Management: Suppose that
there is a Resource Explorer to allow users to know the resources
available in the system (printers, scanners, storage systems, etc). This
5. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 5
Fig. 4. Documents available for a user with low privileges
Fig. 5. Documents available for the attacker after avoiding the privileges
management
Fig. 6. Resources available for the user from the Resource Explorer
is a typical OR LDAP injection case, because the query used to show
the available resources is:
(| (objectclass=Rsc1)(objectclass=Rsc2))
Where Rsc1 and Rsc2 represent the different kinds of resources
in the system. In figure 6, Rsc1=printer and Rsc2=scanner to show
all the available printers and scanners in the system.
If the attacker makes Rsc1=printer)(uid=*)), the following query
is sent to the server:
(| (objectclass=printer)(uid=*))(objectclass=scanner))
Only the first correct filter is processed in the server. And as a
result, all the system users uid’s are shown to the attacker (figure
7). This information can be very dangerous, for example, to use it
in attacks similar to the one performed in the Example 1 to avoid
access control.
Fig. 7. Information available for the attacker after the LDAP injection
Fig. 8. Attributes defined for the objectclass printer
Fig. 9. Normal behavior of the application
B. Blind Injection Techniques
1) Example 1 - Extracting LDAP Tree Information: In this ex-
ample the page printerstatus.php receives a parameter idprinter to
construct this query:
( & (idprinter=Value1)(objectclass=printer))
If the attributes defined for the objectclass printer are shown in
figure 8, the result of this query is shown in figure 9 for V alue1 =
HPLaserJet2100.
But Blind LDAP injection techniques can be used to obtain
forbidden information from the LDAP tree. For example, an attributes
discovering can be performed making these code injections:
( & (idprinter=HPLaserJet2100)(ipaddress=*))
(objectclass=printer))
( & (idprinter=HPLaserJet2100)(distinguishedname=*))
(objectclass=printer))
( & (idprinter=HPLaserJet2100)(department=*))
(objectclass=printer))
Obviously, the attacker can infer from the obtained results which
attributes exist and which not. Only the first complete LDAP filter
is processed in the server, therefore in the first case, the information
about the printer is not given by the application because the attribute
ipaddress does not exist (it is a false query). But in the second
and third cases, the results of the query are normal, therefore, the
attributes distinguishedname and department exist (they are true
queries).
6. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 6
Fig. 10. Asking if the character ’b’ is in the department name
Fig. 11. Asking if the character ’n’ is in the department name
Furthermore, with Blind LDAP injection techniques, the values of
some of these attributes can be obtained. For example, suppose that
the attacker wants to know the value of the department attribute.
Then, he can use booleanization mechanisms such as character
displaying or charset reduction to infer it.
Using the character displaying techniques, the process would be
the following, taking advantage of the possibility of asking false
and true questions to the server :
( & (idprinter=HPLaserJet2100)(department=a*))
(objectclass=printer))
.....
( & (idprinter=HPLaserJet2100)(department=f*))
(objectclass=printer))
( & (idprinter=HPLaserJet2100)(department=fa*))
(objectclass=printer))
......
( & (idprinter=HPLaserJet2100)(department=fi*))
(objectclass=printer))
The first test with the first character does not obtain the printer
information, therefore, the first character is not an ’a’. Testing with
the rest of characters, the only one that obtains a normal behavior
from the application is the ’f’ (true).
Remember from figure 8 that the deparment value in this example
is finantial. Following with the second character, the only one
that obtains the normal operation is ’i’. And, using this process
reiteratively, the complete name of the department value can be
obtained.
On the other hand, if the charset reduction technique is used, the
following injections are constructed:
.....
( & (idprinter=HPLaserJet2100)(department=*b*))
(objectclass=printer))
....
( & (idprinter=HPLaserJet2100)(department=*n*))
(objectclass=printer))
With this kind of technique, the set of characters composing the
department name can be obtained, and, after that, only the correct
characters order must be inferred. Figure 10 shows the results when
the character ’b’ is tested: no results are sent from the server because
the query has a false result. But in figure 11 a normal result is shown,
meaning that the ’n’ character is in the department name. Again
following with this process, the value for this attribute can be obtained
by the attacker.
VI. SECURING APPLICATIONS AGAINST LDAP INJECTION
The attacks presented in the previous sections are performed on the
application level, therefore, normal firewall and intrusion detection
mechanisms at network layer have no effects on preventing all these
injections.
But the general security recommendations for LDAP trees can help
to avoid these vulnerabilities or to minimize their impact: minimum
exposition point and minimum privileges. The use of LDAP-s and
IPSec protocols is recommended too.
On the other hand, the mechanisms used to prevent the well
known SQL injection techniques include defensive programming,
sophisticated input validation, dynamic checks and static source code
analysis. Therefore, the work on mitigating LDAP injections may
involve similar techniques adapted to this protocol.
It has been demonstrated in the previous sections that LDAP
injection attacks are performed including special characters in the
parameters sent from the client to the server. Then, it is clear that it
is very important to filter the variables used to construct the LDAP
queries before sending them to the server.
As a conclusion the parenthesis, asterisks, logical (AND, OR and
NOT) and relational (≤, ≥, , =) operators should be filtered on
the client side to obtain a proper system operation.
Furthermore, the values used to construct the LDAP queries should
be offered to the client in a list of options to avoid malicious
manipulations. If this is not possible because the set of possible values
for some client input is too numerous or complex, a type check should
be performed as a minimum verification. And, of course, the AND
and OR constructions should be avoided in the normal queries to
limit the injection possibilities, because all the injection attacks are
based on these logical operators.
VII. CONCLUSIONS AND FUTURE WORK
LDAP services facilitate access to networks information organizing
it in a hierarchical database that allows authorized users and applica-
tions to find information related to people, resources and applications.
This protocol is simple to install, maintain, replicate and use, and
it can be highly distributed. And it allows an easy implementation
of the widely used single sign-on environments. Therefore, given the
increasing need for information in current systems, it is an essential
service in almost all networks.
LDAP injection techniques are an important threat for these
environments, specially, for the control access and privileges and
resources management.
These attacks modify the correct LDAP queries, altering their
behavior for the attacker benefit. And the consequences of these
attacks can be very severe.
Our work is unique in providing a rigorous analysis of LDAP
injection techniques and in showing representative examples of the
possible effects of these attacks.
Even more, recommendations to secure applications against these
techniques have been proposed. It has been showed that filtering the
error messages produced by the server only fortifies the system but
does not secure it against blind injection techniques. A more in depth
7. TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 7
protection is needed to avoid this kind of injection vulnerabilities
too. It has been demonstrated with the presented examples, that it is
essential to filter the client inputs used to construct the LDAP queries
before sending them to the server. And that the AND and OR filter
constructions should be avoided.
Finally, a very interesting line for future research is working on
analyzing injection techniques with other protocols used to access
databases and directories. And to study the possible utilization of
mechanisms booleanization techniques such as character displaying
or charset reduction in other environments.
REFERENCES
[1] S. Barnum and G. McGraw, “Knowledge for software security,” IEEE
Security and Privacy Magazine, vol. 3(2), pp. 74–78, 2005.
[2] E. Bertino, A. Kamra, and J. Early, “Profiling database application to
detect SQL injection attacks,” in Proceedings of the IEEE International
Performance, Computing, and Communications Conference, 2007, pp.
449–458.
[3] X. Fug, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A
static analysis framework for detecting SQL injection vulnerabilities,”
in Proceedings of the 31st Annual International Computer Software and
Applications Conference, 2007, pp. 87–96.
[4] E. Merlo, D. Letarte, and G. Antoniol, “SQL-injection security evolution
analysis in PHP,” in Proceedings of the 9th IEEE International Workshop
on Web Site Evolution, 2007, pp. 45–49.
[5] S. Thomas and L. Williams, “Using automated fix generation to secure
SQL statements,” in Proceedings of the 3rd International Workshop on
Software Engineering for Secure Systems, 2007, pp. 9–19.
[6] “XPath 1.0 specification,” 1999, http://www.w3.org/TR/xpath.
[7] “XPath 2.0 specification,” 2007, http://www.w3.org/TR/xpath20/.
[8] “RFC 1777: Lightweight Directory Access Protocol v2,” 1995,
http://www.faqs.org/rfcs/rfc1777.html.
[9] “RFC 2251: Lightweight Directory Access Protocol v3,” 1997,
http://www.faqs.org/rfcs/rfc2251.html.
[10] T. Holz, S. Marechal, and F. Raynal, “New threats and attacks on the
world wide web,” IEEE Security and Privacy Magazine, vol. 4(2), 2006.
[11] G. Hermosillo, R. Gomez, L. Seinturier, and L. Duchien, “AProSec:
an aspect for programming secure web applications,” in Proceedings
of the Second International Conference on Availability, Reliability and
Security, 2007, pp. 1026–1033.
[12] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: a static analysis tool for
detecting web application vulnerabilities,” in Proceedings of the IEEE
Symposium on Security and Privacy, 2006, pp. 6–15.
[13] E. Jamhour, “Distributed security management using LDAP directories,”
in Proceedings of the XXI Internatinal Conference of the Chilean
Computer Science Society, 2001, pp. 144–153.
[14] R. Sari and S. Hidayat, “Integrating web server applications with LDAP
authentication: Case study on human resources information system of
ui,” in Proceedings of the International Symposium on Communications
and Information Technologies, 2006, pp. 307–312.
[15] M. Wahl, T. Howes, and S. Kille, “Lightweight Directory Access
Protocol (v3),” 1997, www.ietf.org/rfc/rfc2251.
[16] V. Koutsonikola and A. Vakali, “LDAP: framework, practices, and
trends,” IEEE Internet Computing, vol. 8(5), pp. 66–72, 2004.
[17] M. Russinovich and D. Solomon, Microsoft Windows Internals. Mi-
crosoft Press, 2004.
[18] “OpenLDAP main page,” www.openldap.org.
[19] N. Klasen, “Directory services for Linux, in comparison with Novell
NDS and Microsoft Active Directory,” 2001, master Thesis, Aachen
University.