The document discusses LDAP injection and blind LDAP injection attacks against web applications. It begins with an introduction on LDAP services and how they are commonly used for user authentication and access control. It then provides examples of how LDAP injection can be used to bypass access controls or elevate privileges by manipulating the LDAP filters used in queries. The document also describes techniques for performing blind LDAP injection when error messages are not returned.
How "·$% developers defeat the web vulnerability scannersChema Alonso
Share Favorite
Favorited X
Download More...
Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel
Edit your favorites Cancel
Send to your Group / Event Select Group / Event
Add your message Cancel
Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com
Without related presentations
0 commentsPost a comment
Post a comment
..
Embed Video Subscribe to follow-up comments Unsubscribe from followup comments .
Edit your comment Cancel .Notes on slide 1
no notes for slide #1
no notes for slide #1
..Favorites, Groups & Events
more
How "·$% developers defeat the web vulnerability scanners - Presentation Transcript
1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
2.Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection using Heavey Queries
5.- Conclusions
3.1.-Introduction
4.SQL Injection is still here among us
5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
6.Need to Improve Automatic Scanning
Not always a manual scanning is possible
Time
Confidentiality
Money, money, money…
Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
7.2.-Inverted Queries
8.
9.Homers, how are they?
Lazy
Bad trainined
Poor Experience in security stuff
Don´t like working
Don´t like computing
Don´t like coding
Don´t like you!
10.Flanders are Left-handed
11.Right
SELECT UID
FROM USERS
WHERE NAME=‘V_NAME’
AND
PASSWORD=‘V_PASSW’;
12.Wrong?
SELECT UID
FROM USERS
WHERE ‘V_NAME’=NAME AND
‘ V_PASSW’=PASSWORD
13.Login Inverted Query
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uid
From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password
FAIL
14.Login Inverted SQL Injection an example
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uid
From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password
Success
15.Blind Attacks
Attacker injects code but can´t access directly to the data.
However this injection changes the behavior of the web application.
Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection
16.Blind SQL Injection Attacks
Attacker injects:
“ True where clauses”
“ False where clauses“
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2
Program doesn’t return any visible data from database or data in error messages.
The attacker can´t see any data extracted from the database.
17.Blind SQL Injection Attacks
Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
Different hashes
Different html structure
Different patterns (keywords)
Different linear ASCII sums
“ Different behavior”
By example: Response Time
18.Blind SQL Injection Attacks
If any difference exists, then:
Attacker can extract all information from database
How? Using “booleanization”
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
“ True-Answer Page” or “False-Answer Page”?
MSSQL:
Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
Oracle:
Program.php?id=1 and 100>(Select ASCII(Sub
Connection String Parameter Pollution AttacksChema Alonso
Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010
Railsplitter is a framework which significantly reduces development cost to expose a hierarchical data model as a production quality Create, Read, Update, and Delete (CRUD) web service. Railsplitter adopts JSON API [10] as the standard for the service definition given its focus on consumption by front-end developers. Inherent in the design of JSON API are capabilities that reduce the number of round trips from client to server to fetch or update data. Updates on disparate models can happen in a single request allowing the server to build atomicity guarantees. Rather than starting from scratch with a domain-specific language (DSL) to describe a data model, Railsplitter adopts Java Persistence API (JPA) [6] - a modeling definition that is rich and has a long tenure of proven provider implementations. Unlike other approaches, Railsplitter addresses the fundamental needs of flexible, model driven authorization, interoperability with client side applications, and test automation.
Implementing Active Directory and Information Security Audit also VAPT in Fin...KajolPatel17
The presence of an information security audit increases the probability of adopting major security measures and preventing these attacks or lowering the cyber world attacks.
VAPT includes auditing the system for finding vulnerabilities, which may be exist on the system; exploit that vulnerability same as an attacker perspective and produce data which representing the system level risk.
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
How "·$% developers defeat the web vulnerability scannersChema Alonso
Share Favorite
Favorited X
Download More...
Favorited! Want to add tags? Have an opinion? Make a quick comment as well. Cancel
Edit your favorites Cancel
Send to your Group / Event Select Group / Event
Add your message Cancel
Post toBlogger WordPress Twitter Facebook Deliciousmore share options .Embed For WordPress.com
Without related presentations
0 commentsPost a comment
Post a comment
..
Embed Video Subscribe to follow-up comments Unsubscribe from followup comments .
Edit your comment Cancel .Notes on slide 1
no notes for slide #1
no notes for slide #1
..Favorites, Groups & Events
more
How "·$% developers defeat the web vulnerability scanners - Presentation Transcript
1.How ?¿$·& developers defeat the most famous web vulnerability scanners …or how to recognize old friends Chema Alonso Informática64 José Parada Microsoft Ibérica
2.Agenda
1.- Introduction
2.- Inverted Queries
3.- Arithmetic Blind SQL Injection
4.- Time-Based Blind SQL Injection using Heavey Queries
5.- Conclusions
3.1.-Introduction
4.SQL Injection is still here among us
5.Web Application Security Consortium: Comparision http://projects.webappsec.org/Web-Application-Security-Statistics 12.186 sites 97.554 bugs
6.Need to Improve Automatic Scanning
Not always a manual scanning is possible
Time
Confidentiality
Money, money, money…
Need to study new ways to recognize old fashion vulnerabilities to improve automatic scanning tools.
7.2.-Inverted Queries
8.
9.Homers, how are they?
Lazy
Bad trainined
Poor Experience in security stuff
Don´t like working
Don´t like computing
Don´t like coding
Don´t like you!
10.Flanders are Left-handed
11.Right
SELECT UID
FROM USERS
WHERE NAME=‘V_NAME’
AND
PASSWORD=‘V_PASSW’;
12.Wrong?
SELECT UID
FROM USERS
WHERE ‘V_NAME’=NAME AND
‘ V_PASSW’=PASSWORD
13.Login Inverted Query
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=Kubica’ or '1'='1
Select uid
From users where ‘Robert’=name and ‘Kubica’ or ‘1’=‘1’=password
FAIL
14.Login Inverted SQL Injection an example
Select uid
From users where ‘v_name’=name and ‘v_pass’=password
http://www.web.com/login.php?v_name=Robert&v_pass=’=‘’ or ‘1’=‘1’ or ‘Kubica
Select uid
From users where ‘Robert’=name and ’’=‘’ or ‘1’=‘1’ or ‘Kubica’=password
Success
15.Blind Attacks
Attacker injects code but can´t access directly to the data.
However this injection changes the behavior of the web application.
Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data.
Blind SQL Injection
Biind Xpath Injection
Blind LDAP Injection
16.Blind SQL Injection Attacks
Attacker injects:
“ True where clauses”
“ False where clauses“
Ex:
Program.php?id=1 and 1=1
Program.php?id=1 and 1=2
Program doesn’t return any visible data from database or data in error messages.
The attacker can´t see any data extracted from the database.
17.Blind SQL Injection Attacks
Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”:
Different hashes
Different html structure
Different patterns (keywords)
Different linear ASCII sums
“ Different behavior”
By example: Response Time
18.Blind SQL Injection Attacks
If any difference exists, then:
Attacker can extract all information from database
How? Using “booleanization”
MySQL:
Program.php?id=1 and 100>(ASCII(Substring(user(),1,1)))
“ True-Answer Page” or “False-Answer Page”?
MSSQL:
Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers)
Oracle:
Program.php?id=1 and 100>(Select ASCII(Sub
Connection String Parameter Pollution AttacksChema Alonso
Paper about Connection String Attacks that focus in Connection String Parameter Pollution in Web Applications. Presented in Ekoparty 2009, Black Hat DC 2010 and Troopers 2010
Railsplitter is a framework which significantly reduces development cost to expose a hierarchical data model as a production quality Create, Read, Update, and Delete (CRUD) web service. Railsplitter adopts JSON API [10] as the standard for the service definition given its focus on consumption by front-end developers. Inherent in the design of JSON API are capabilities that reduce the number of round trips from client to server to fetch or update data. Updates on disparate models can happen in a single request allowing the server to build atomicity guarantees. Rather than starting from scratch with a domain-specific language (DSL) to describe a data model, Railsplitter adopts Java Persistence API (JPA) [6] - a modeling definition that is rich and has a long tenure of proven provider implementations. Unlike other approaches, Railsplitter addresses the fundamental needs of flexible, model driven authorization, interoperability with client side applications, and test automation.
Implementing Active Directory and Information Security Audit also VAPT in Fin...KajolPatel17
The presence of an information security audit increases the probability of adopting major security measures and preventing these attacks or lowering the cyber world attacks.
VAPT includes auditing the system for finding vulnerabilities, which may be exist on the system; exploit that vulnerability same as an attacker perspective and produce data which representing the system level risk.
Algorithm for Securing SOAP Based Web Services from WSDL Scanning Attacksiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
JavaOne 2010: Building enterprise web applications with spring 3
Spring is an open source, lightweight Java framework that has become the de facto standard of Java enterprise application development. This session will adopt a learn-by-example approach that combines the philosophy and theory behind Spring with concrete code examples. You'll be walked through building a full-featured Spring 3.0 enterprise Web application end to end. The basics of the Spring framework, design patterns, and best practices will be picked up along the way. Topic to be covered topics include: Dependency Injection, Spring MVC, Spring DAO, Spring ORM, Spring AOP, and Spring Security. This session is intended for developers at any level who are interested in writing Spring or Spring MVC Web applications.
ENHANCING THE WORDPRESS SYSTEM:FROM ROLE TO ATTRIBUTE-BASED ACCESS CONTROLIJNSA Journal
Role-Based Access Control (RBAC) is the most commonly used model on web applications. The advantages of RBAC are the ease of understanding, applying and managing privileges. The static RBAC model cannot alter access permission in real-time without human involvement and therefore the model suffers from increasing false negative (and/or false positive) outcomes. Hence, the Attribute-Based Access Control (ABAC) model has been proposed to introduce dynamicity and minimize human involvement in order to enhance security. WordPress is a very popular Role-Based content management system. To our best knowledge, no solution to merge from RBAC to ABAC model for WordPress applications has been found. Our contribution is a WordPress plug-in that we have developed to build ABAC upon the existing RBAC setups. In this journey, we have investigated various scenarios by studying different application categories to come up with an enhanced automatic model that adds real-time grant and revoke feature to WordPress.
Your Web application is valuable to your users‚ and increasingly valuable to mobile applications, integration consumers, business processes, workflows, and analytics. With the WSO2 Application Server, you can easily share business logic, data, and process across the entire IT ecosystem. The WSO2 Application Server is cloud native, providing a firm foundation for hosting shared, multi-tenant, elastically scaling SaaS applications.
LDAP Services are a key component
in companies. The information stored in them
is used for corporate applications. If one of these
applications accepts input from a client and
execute it without first validating it, attackers h
ave the potential to execute their own
queries and thereby extract sensitive information f
rom the LDAP directory. In this paper a
deep analysis of the LDAP injection techniques is p
resented including Blind attacks
Born from the wish to make linking tractable, the Link Discovery Framework for Metric Spaces (LIMES) is tailored towards the time-efficient and lossless discovery of links across knowledge bases. LIMES is an extensible declarative framework that encapsulates manifold algorithms dedicated to the processing of structured data of any sort. Built with extensibility and easy integration in mind, LIMES allows implementing applications that integrate, consume and/or generate Linked Data. Within LOD2, it will be used for discovering links between knowledge bases.
This webinar will be presented by the LOD2 Partner: University of Leipzig (ULEI), Germany.
JavaOne 2010: Building enterprise web applications with spring 3
Spring is an open source, lightweight Java framework that has become the de facto standard of Java enterprise application development. This session will adopt a learn-by-example approach that combines the philosophy and theory behind Spring with concrete code examples. You'll be walked through building a full-featured Spring 3.0 enterprise Web application end to end. The basics of the Spring framework, design patterns, and best practices will be picked up along the way. Topic to be covered topics include: Dependency Injection, Spring MVC, Spring DAO, Spring ORM, Spring AOP, and Spring Security. This session is intended for developers at any level who are interested in writing Spring or Spring MVC Web applications.
ENHANCING THE WORDPRESS SYSTEM:FROM ROLE TO ATTRIBUTE-BASED ACCESS CONTROLIJNSA Journal
Role-Based Access Control (RBAC) is the most commonly used model on web applications. The advantages of RBAC are the ease of understanding, applying and managing privileges. The static RBAC model cannot alter access permission in real-time without human involvement and therefore the model suffers from increasing false negative (and/or false positive) outcomes. Hence, the Attribute-Based Access Control (ABAC) model has been proposed to introduce dynamicity and minimize human involvement in order to enhance security. WordPress is a very popular Role-Based content management system. To our best knowledge, no solution to merge from RBAC to ABAC model for WordPress applications has been found. Our contribution is a WordPress plug-in that we have developed to build ABAC upon the existing RBAC setups. In this journey, we have investigated various scenarios by studying different application categories to come up with an enhanced automatic model that adds real-time grant and revoke feature to WordPress.
Your Web application is valuable to your users‚ and increasingly valuable to mobile applications, integration consumers, business processes, workflows, and analytics. With the WSO2 Application Server, you can easily share business logic, data, and process across the entire IT ecosystem. The WSO2 Application Server is cloud native, providing a firm foundation for hosting shared, multi-tenant, elastically scaling SaaS applications.
LDAP Services are a key component
in companies. The information stored in them
is used for corporate applications. If one of these
applications accepts input from a client and
execute it without first validating it, attackers h
ave the potential to execute their own
queries and thereby extract sensitive information f
rom the LDAP directory. In this paper a
deep analysis of the LDAP injection techniques is p
resented including Blind attacks
Born from the wish to make linking tractable, the Link Discovery Framework for Metric Spaces (LIMES) is tailored towards the time-efficient and lossless discovery of links across knowledge bases. LIMES is an extensible declarative framework that encapsulates manifold algorithms dedicated to the processing of structured data of any sort. Built with extensibility and easy integration in mind, LIMES allows implementing applications that integrate, consume and/or generate Linked Data. Within LOD2, it will be used for discovering links between knowledge bases.
This webinar will be presented by the LOD2 Partner: University of Leipzig (ULEI), Germany.
Our out-of-the-box solution enables engineering teams to deploy advanced access control in minutes in order to avoid detrimental employee mistakes and costly security breaches.
This presentation was shown at Spring Framework Meeting 2009 in Rome (Lazio - Italy) - 31th October 2009.
http://www.open4dev.com/journal/2009/10/26/spring-framework-meeting-2009-rome.html
Abstract:
Spring LDAP basics: how to start to use the LdapTemplate in your custom J2EE application. This how-to will show you how to bind, unbind, search and authenticate users in your LDAP using the LdapTemplate provided by Spring.
Similar to LDAP Injection & Blind LDAP Injection in Web Applications (20)
La labor de gestionar la seguridad de una empresa suele ser como bailar sobre el alambre. Hay que permitir que el negocio siga funcionando, estar a la última, proteger lo ya implantado e innovar en cosas nuevas. Eso sí, de forma más eficiente cada año y con menos presupuesto. Todo ello, con el objetivo de no que no pase nada. La conclusión de esto es que al final siempre queda Long Hanging Fruit para que cualquiera se aproveche.
Configurar y utilizar Latch en MagentoChema Alonso
Tutorial realizado por Joc sobre cómo instalar y configurar Latch en el framework Magento. El plugin puede descargarse desde https://github.com/jochhop/magento-latch y tienes un vídeo descriptivo de su uso en http://www.elladodelmal.com/2015/10/configurar-y-utilizar-latch-en-magento.html
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
Technicall report created by Gartner analyst in which they explore Telefonica & Eleven Paths technologies to provide Authentication & Authorization as a Service. In it they analyse Mobile Connect, Latch, SealSign and SmartID
CritoReto 4: Buscando una aguja en un pajarChema Alonso
Los últimos meses la contrainteligencia británica ha avanzado a pasos agigantados en la localización de agentes rusos activos en suelo inglés. Los avances en criptoanálisis, del ahora ascendido Capitán Torregrosa, han permitido localizar el punto central de trabajo de los agentes rusos. Después de días vigilando “Royal China Club”, no se observa ningún movimiento, da la sensación que no es un lugar de encuentro habitual, aunque según las informaciones recopiladas los datos más sensibles de los operativos rusos se encuentran en esa localización. Por este motivo, se decide entrar en el club y copiar toda la información para analizarla. Entre las cosas más curiosas encontradas, se observa un póster en la pared con una imagen algo rara y una especie de crucigrama, así como un texto impreso en una mesa. Ningún aparato electrónico excepcional ni nada aparentemente cifrado. ¿Podrá la inteligencia británica dar por fin con los agentes rusos? El tiempo corre en su contra…
Talk delivered by Chema Alonso at RootedCON Satellite (Saturday 12th of September 2015) about how to do hacking & pentesting using dorks over Tacyt, a Big Data of Android Apps
Pentesting con PowerShell: Libro de 0xWordChema Alonso
Índice del libro "Pentesting con PowerShell" de 0xWord.com. Tienes más información y puedes adquirirlo en la siguiente URL: http://0xword.com/es/libros/69-pentesting-con-powershell.html
Recuperar dispositivos de sonido en Windows Vista y Windows 7Chema Alonso
Artículo de Windows Técnico que muestra cómo recuperar dispositivos de sonido en Windows Vista y Windows 7 cuando estos desaparecen. Más información en http://www.elladodelmal.com
Charla impartida por Chema Alonso en el congreso Internet 3.0 el 24 de Abril de 2015 en Alicante sobre cómo la gente que cree en las soluciones mágicas y gratuitas acaba siendo estafada o víctima de fraude. Todas las partes de la presentación llevan sus enlaces a los artículos correspondientes para ampliar información.
Conferencia impartida por Chema Alonso en el Primer Congreso Europeo de Ingenieros Informático realizado en Madrid el 20 de Abril de 2015 dentro de las actividades de la Semana de la Informática 2015. El vídeo de la conferencia está en la siguiente URL: https://www.youtube.com/watch?v=m6WPZmx7WoI
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Chema Alonso
Cuarta Edición del Curso Online de Especialización en Seguridad
Informática para la Ciberdefensa
Del 4 de mayo al 4 de junio de 2015
Orientado a:
- Responsables de seguridad.
- Cuerpos y fuerzas de seguridad del Estado.
- Agencias militares.
- Ingenieros de sistemas o similar.
- Estudiantes de tecnologías de la información
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
Informe con los resultados de la fase II del proceso de auditoría del software de cifrado de TrueCrypt que buscaba bugs y posibles puertas traseras en el código.
La mayoría de la gente tiene una buena concepción del hardware de Apple. En este artículo, José Antonio Rodriguez García intenta desmontar algunos mitos.
Latch en Linux (Ubuntu): El cerrojo digitalChema Alonso
Artículo de cómo fortifica Linux (Ubuntu) con Latch: El cerrojo digital. El paper ha sido escrito por Bilal Jebari http://www.bilaljebari.tk/index.php/es/blog/5-latch-en-ubuntu
Índice de contenidos del libro "Hacking con Python" escrito por Daniel Echevarri y publicado por 0xWord. Más información en: http://0xword.com/es/libros/67-hacking-con-python.html
Talk delivered by Chema Alonso in CyberCamp ES 2014 about Shuabang Botnet discoverd by Eleven Paths. http://www.slideshare.net/elevenpaths/shuabang-with-new-techniques-in-google-play
Tu iPhone es tan (in)seguro como tu WindowsChema Alonso
Charla dada por Chema Alonso en Five Talks sobre cómo funciona la seguridad de iPhone. Más información y detalles en el libro Hacking iOS {iPhone & iPad} http://0xword.com/es/libros/39-libro-hacking-dispositivos-ios-iphone-ipad.html
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
When stars align: studies in data quality, knowledge graphs, and machine lear...
LDAP Injection & Blind LDAP Injection in Web Applications
1. INFORMÁTICA 64
LDAP Injection &
Blind LDAP Injection
In Web Applications
Authors: Chema Alonso, Rodolfo Bordón, Antonio Guzmán y Marta Beltrán
Speakers: Chema Alonso & José Parada Gimeno
Abstract. LDAP Services are a key component in companies. The information stored in them
is used for corporate applications. If one of these applications accepts input from a client and
execute it without first validating it, attackers have the potential to execute their own
queries and thereby extract sensitive information from the LDAP directory. In this paper a
deep analysis of the LDAP injection techniques is presented including Blind attacks.
2. LDAP Injection & Blind LDAP Injection
Index
Section Page
1. Introduction 02
2. LDAP Overview 02
3. Common LDAP environments 03
4. LDAP Injection in Web Applications 04
4.1. AND LDAP Injection 06
4.1.1. Example 1: Access Control Bypass 06
4.1.2. Example 2: Elevation of Privileges 07
4.2. OR LDAP Injection 08
4.2.1. Example 1: Information Disclosure 09
5. Blind LDAP Injection 10
5.1. AND Blind LDAP Injection 10
5.2. OR Blind LDAP Injection 11
5.3. Exploitation Example 11
5.3.1. Discovering Attibutes 11
5.3.2. Booleanization 13
5.3.3. Charset Reduction 15
6. Securing Applications against
Blind LDAP Injection & LDAP Injection attacks 16
7. References 16
Greetings: RoMaNSoFt, Palako, Raul@Apache, Al Cutter, Mandingo, Chico Maravillas, Alejandro Martín,
Dani Kachakil, Pedro Laguna, Silverhack, Rubén Alonso, David Cervigón, Marty Wilson, Inmaculada Bravo
& S@m Pikesley
Page: 1 of 17
3. LDAP Injection & Blind LDAP Injection
1. Introduction
The amount of data stored in organizational databases has increased rapidly in recent years
due to the rapid advancement of information technologies. A high percentage of these data is
sensitive, private and critical to the organizations, their clients and partners.
Therefore, databases are usually installed behind internal firewalls, protected with intrusion
detection mechanisms and accessed only by applications. To access a database, users have to
connect to one of these applications and submit queries through them to the database. The
threat to databases arises when these applications do not behave properly and construct these
queries without sanitizing user inputs first.
Over 50% of web application vulnerabilities are input validation related, which allows the
exploitation of code injection techniques. These attacks have proliferated in recent years
causing severe security problems in systems and applications. The SQL injection techniques
are the most widely used and studied but there are other injection techniques associated with
other languages or protocols such as XPath or LDAP.
Preventing the consequences of these kinds of attacks, lies in studying the different code
injection possibilities and in making them public and well known for all programmers and
administrators. In this paper the LDAP injection techniques are analyzed in depth, because all
the web applications based on LDAP trees might be vulnerable to these kinds of attacks.
The key to exploiting injection techniques with LDAP is to manipulate the filters used to search
in the directory services. Using these techniques, an attacker may obtain direct access to the
database underlying an LDAP tree, and thereby to important corporate information.
This can be even more critical because the security of many applications and services relies on
single sign-on environments based on LDAP directories.
Although the vulnerabilities that lead to these consequences are easy to understand and fix,
they persist because of the lack of information about these attacks and their effects. Though
previous references to the exploitation of this kind of vulnerability exist the presented
techniques don´t apply to the vast majority of modern LDAP service implementations. The
main contribution of this paper is the presentation and deep analysis of new LDAP injection
techniques which can be used to exploit these vulnerabilities.
This paper is organized as follows: sections 2 and 3 explain the LDAP fundamentals needed to
understand the techniques presented in the following sections. Section 4 presents the two
typical environments where LDAP injection techniques can be used and exemplify these
techniques with illustrative cases. Section 5 describes how BLIND LDAP Injection attacks can be
done with more examples. Finally, in Section 6, some recommendations for securing systems
against this kind of attack are given.
2. LDAP Overview
The Lightweight Directory Access Protocol is a protocol for querying and modifying directory
services running over TCP/IP. The most widely used implementations of LDAP services are
Microsoft ADAM (Active Directory Application Mode) and OpenLDAP.
Page: 2 of 17
4. LDAP Injection & Blind LDAP Injection
LDAP directory services are software applications that store and organize information sharing
certain common attributes; the information is structured based on a tree of directory entries,
and the server provides powerful browsing and search capabilities, etcetera. LDAP is object-
oriented, therefore every entry in an LDAP directory services is an instance of an object and
must correspond to the rules fixed for the attributes of that object.
Due to the hierarchical nature of LDAP directory services read-based queries are optimized to
the detriment of write-based queries.
LDAP is also based on the client/server model. The most frequent operation is to search for
directory entries using filters. Clients send queries to the server and the server responds with
the directory entries matching these filters.
LDAP filters are defined in the RFC 4515. The structure of these filters can be summarized as:
Filter = ( filtercomp )
Filtercomp = and / or / not / item
And = & filterlist
Or = |filterlist
Not = ! filter
Filterlist = 1*filter
Item= simple / present / substring
Simple = attr filtertype assertionvalue
Filtertype = ”=” / ” ~ =”/ ”>=” / ”<=”
Present = attr = *
Substring = attr ”=” [initial] * [final]
Initial = assertionvalue
Final = assertionvalue
All filters must be in brackets, only a reduced set of logical (AND, OR and NOT) and relational
(=,>=,<=,~=) operators are available to construct them. The special character “*” can be used
to replace one or more characters in the construction of the filters.
Apart from being logic operators, RFC 4256 allows the use of the following standalone symbols
as two special constants:
- (&) -> Absolute TRUE
- (|) -> Absolute FALSE
3. Common LDAP environments
LDAP services are a key component for the daily operation in many companies and institutions.
Directory Services such as Microsoft Active Directory, Novell E-Directory and RedHat Directory
Services are based on the LDAP protocol. But there are other applications and services taking
advantage of the LDAP services.
These applications and services used to require different directories (with separate
authentication) to work. For example, a directory was required for the domain, a separate
directory for mailboxes and distribution lists, and more directories for remote access,
databases or web applications. New directories based on LDAP services are multi-purpose,
Page: 3 of 17
5. LDAP Injection & Blind LDAP Injection
working as centralized information repositories for user authentication and enabling single
sign-on environments.
This new scenario increases the productivity by reducing the administration complexity and by
improving security and fault tolerance. In almost every environment, the applications based on
LDAP services use the directory for one of the following purposes:
– Access control (user/password pair verification, user certificates management).
– Privilege management.
– Resource management.
Due to the importance of the LDAP services for the corporate networks, the LDAP servers are
usually placed in the backend with the rest of the database servers. Figure 1 shows the typical
scenario deployed for corporate networks, and it is important to keep this scenario in mind in
order to understand the implications of the injection techniques exposed in following sections.
4. LDAP Injection in Web Applications
LDAP injection attacks are based on similar techniques to SQL injection attacks. Therefore, the
underlying concept is to take advantage of the parameters introduced by the user to generate
the LDAP query. A secure Web application should sanitize the parameters introduced by the
user before constructing and sending the query to the server. In a vulnerable environment
these parameters are not properly filtered and the attacker can inject malicious code.
Fig. 1. Typical scenario for an LDAP-based Web application
Taking into consideration the structure of the LDAP filters explained in section 2 and the
implementations of the most widely used LDAP: ADAM and OpenLDAP, the following
conclusions can be drawn about the code injection. (The following filters are crafted using as
value a non sanitized input from the user):
Page: 4 of 17
6. LDAP Injection & Blind LDAP Injection
– (attribute=value): If the filter used to construct the query lacks a logic operator (OR
or AND), an injection like ”value)(injected_filter” will result in two filters:
(attribute=value)(injected_filter). In the OpenLDAP implementations the second filter
will be ignored, only the first one being executed. In ADAM, a query with two filters
isn´t allowed. Therefore, the injection is useless.
- (|(attribute=value)(second_filter)) or (&(attribute=value)(second_filter)): If the
filter used to construct the query has a logic operator (OR or AND), an injection like
“value)(injected_filter)” will result in the following filter:
(&(attribute=value)(injected_filter)) (second_filter)). Though the filter is not even
syntactically correct, OpenLDAP will start processing it left to right ignoring any
character after the first filter is closed. Some LDAP Client web components will ignore
the second filer, sending to ADAM and OpenLDAP only the first complete one,
therefore allowing the injection.
Some application frameworks will check the filter for correctness before sending it to
the LDAP server. Should this be the case, the filter has to be syntactically correct,
which can be achieved with an injection like:
“value)(injected_filter))(&(1=0” .This will result in two different filters, the second
being ignored: (&(attribute=value)(injected_filter))(&(1=0)(second_filter)).
As the second filter is going to be ignored by the LDAP Server, some components won´t
allow an LDAP query with two filters. In these cases a special injection must be crafted
in order to obtain a single-filter LDAP query. An injection like: “value)(injected_filter”
will result in the following filter: (&(attribute=value)(injected_filter)(second_filter)).
The typical test to know if an application is vulnerable to code injection consists of sending to
the server a query that generates an invalid input. Therefore, if the server returns an error
message, it is clear for the attacker that the server has executed his query and that he can
exploit the code injection techniques. Taking into account the previous discussion, two kinds of
environments can be distinguished: AND injection environments and OR injection
environments.
Fig. 2. LDAP injection
Page: 5 of 17
7. LDAP Injection & Blind LDAP Injection
4.1. AND LDAP Injection
In this case the application constructs the normal query to search in the LDAP directory with
the “&” operator and one or more parameters introduced by the user. For example:
(&(parameter1=value1)(parameter2=value2))
Where value1 and value2 are the values used to perform the search in the LDAP directory. The
attacker can inject code, maintaining a correct filter construction but using the query to
achieve his own objectives.
4.1.1. Example 1: Access Control Bypass
A login page has two text box fields for entering user name and password (figure 3). Uname
and Pwd are the user inputs for USER and PASWORD. To verify the existence of the
user/password pair supplied by a client, an LDAP search filter is constructed and sent to the
LDAP server:
(&(USER=Uname)(PASSWORD=Pwd))
If an attacker enters a valid username, for example, slisberger, and injects the appropriate
sequence following this name, the password check can be bypassed.
Making Uname=slisberger)(&)) and introducing any string as the Pwd value, the following
query is constructed and sent to the server:
(& (USER=slisberger)(&))(PASSWORD=Pwd))
Fig. 3. Login page with LDAP injection
Only the first filter is processed by the LDAP server, that is, only the query
(&(USER=slisberger)(&)) is processed. This query is always true, so the attacker gains access to
the system without having a valid password.
Page: 6 of 17
8. LDAP Injection & Blind LDAP Injection
Fig. 4. Home page shown to the attacker after avoiding the access control
4.1.2. Example 2: Elevation of Privileges
For example, suppose that the following query lists all the documents visible for the users with
a low security level:
(&(directory=documents)(security_level=low))
Fig. 5. Low security level documents.
Where “documents” is the user entry for the first parameter and low is the value for the
second. If the attacker wants to list all the documents visible for the high security level, he can
use an injection like “documents)(security_level=*))(&(directory=documents” resulting in the
following filter:
(&(directory=documents)(security_level=*))(&(directory=documents)(security_level=low))
Page: 7 of 17
9. LDAP Injection & Blind LDAP Injection
Fig. 6. All security levels documents
The LDAP server will only process the first filter ignoring the second one, therefore, only the
following query will be processed: (&(directory=documents)(security level=*)), while (&
(directory=documents)(security level=low)) will be ignored.
As a result, a list with all the documents available for the users with all security levels will be
displayed for the attacker although he doesn’t have privileges to see them.
4.2. OR LDAP Injection
In this case the application constructs the normal query to search in the LDAP directory with
the “|” operator and one or more parameters introduced by the user. For example:
(|(parameter1=value1)(parameter2=value2))
Where value1 and value2 are the values used to perform the search in the LDAP directory. The
attacker can inject code, maintaining a correct filter construction but using the query to
achieve his own objectives.
Page: 8 of 17
10. LDAP Injection & Blind LDAP Injection
4.2.1. Example 1: Information Disclosure
Suppose a resources explorer allows users to know the resources available in the system
(printers, scanners, storage systems, etc…). This is a typical OR LDAP Injection case, because
the query used to show the available resources is:
(|(type=Rsc1)(type=Rsc2))
Rsc1 and Rsc2 represent the different kinds of resources in the system. In figure 7,
Rsc1=printer and Rsc2=scanner to show all the available printers and scanners in the system.
Fig. 7. Resources available to the user from the Resources Consoles Management
If the attacker enters Rsc1=printer)(uid=*), the following query is sent to the server:
(|(type=printer)(uid=*))(type=scanner))
The LDAP server responds with all the printer and user objects.
Fig. 8. Information available to the attacker after the LDAP injection
Page: 9 of 17
11. LDAP Injection & Blind LDAP Injection
5. Blind LDAP Injection
Suppose that an attacker can infer from the server responses, although the application does
not show error messages, the code injected in the LDAP filter generates a valid response (true
result) or an error (false result). The attacker could use this behavior to ask the server true or
false questions. These types of attacks are named “Blind Attacks”. Blind LDAP Injection attacks
are slower than classic ones but they can be easily implemented, since they are based on
binary logic, and they let the attacker extract information from the LDAP Directory.
5.1. AND Blind LDAP Injection
Suppose a web application wants to list all available Epson printers from an LDP directory
where error messages are not returned. The application sends the following LDAP search filter:
(& (objectClass=printer)(type=Epson*))
With this query, if there are any Epson printers available, icons are shown to the client,
otherwise no icon is shown. If the attacker performs a Blind LDAP injection attack injecting
“*)(objectClass=*))(& (objectClass=void“, the web application will construct the following LDAP
query:
(& (objectClass=*)(objectClass=*))(&(objectClass=void)(type=Epson*))
Only the first complete LDAP filter will process:
(&(objectClass=*)(objectClass=*))
As a result, the printer icon must be shown to the client, because this query always obtains
results: the filter objectClass=* always returns an object. When an icon is shown the response
is true, otherwise the response is false.
From this point, it is easy to use blind injection techniques. For example, the following
injections can be constructed:
(&(objectClass=*)(objectClass=users))(&(objectClass=foo)(type=Epson*))
(&(objectClass=*)(objectClass=resources))(&(objectClass=foo)(type=Epson*))
This set of code injections allows the attacker to infer the different objectClass values possible
in the LDAP directory service. When the response web page contains at least one printer icon,
the objectClass value exists (TRUE), on the other hand the objectClass value does not exist or
there is no access to it, and so no icon, the objectclass value does not exist(FALSE).
Blind LDAP injection techniques allow the attacker access to all information using TRUE/FALSE
questions.
Page: 10 of 17
12. LDAP Injection & Blind LDAP Injection
5.2. OR Blind LDAP Injection
In this case, the logic used to infer the desired information is the opposite, due to the presence
of the OR logical operator. Following with the same example, the injection in an OR
environment should be:
(|(objectClass=void)(objectClass=void))(&(objectClass=void)(type=Epson*))
This LDAP query obtains no objects from the LDAP directory service, therefore the printer icon
is not shown to the client (FALSE). If any icon is shown in the response web page then, it is a
TRUE response. Thus, an attacker could inject the following LDAP filters for gathering
information:
(|(objectClass=void)(objectClass=users))(&(objectClass=void)(type=Epson*))
(|(objectClass=void)(objectClass=resources))(&(objectClass=void)(type=Epson*))
5.3. Exploitation example
In this section, an LDAP environment has been implemented to show the use of the injection
techniques explained above and also to describe the possible effects of the exploitation of
these vulnerabilities and the important impact of these attacks in current systems security.
In this example the page printerstatus.php receives a parameter idprinter to construct the
following LDAP search filter:
(&(idprinter=Value1)(objectclass=printer))
5.3.1. Discovering Attributes
Blind LDAP Injection techniques can be used to obtain sensitive information from the LDAP
directory services by taking advantage of the AND operator at the beginning of the LDAP
search filter built into the web application. For example, given the attributes defined for the
printer object shown in figure 9 and the response web page of this LDAP query in figure 10 for
Value1=HPLaserJet2100,
Fig. 9. Attributes defined for the printer object
Page: 11 of 17
13. LDAP Injection & Blind LDAP Injection
Fig. 10. Normal behavior of the application
an attribute discovering attack can be performed by making these following LDAP injections:
(&(idprinter=HPLaserJet2100)(ipaddress=*))(objectclass=printer))
Fig 11: Response web page when the attribute does not exist
( & (idprinter=HPLaserJet2100)(department=*))(objectclass=printer))
Fig 12: Response web page when the attribute exists
Page: 12 of 17
14. LDAP Injection & Blind LDAP Injection
Obviously, the attacker can infer from these results which attributes exist and which do not. In
the first case, the information about the printer is not given by the application because the
attribute ipaddress does not exist or it is not accessible (FALSE). On the other hand, in the
second case, the response web page shows the printer status and therefore, the attribute
department exists in the LDAP directory and it is possible access to it.
Furthermore, with blind LDAP injection attacks the values of some of these attributes can be
obtained. For example, suppose that the attacker wants to know the value of the department
attribute: he can use booleanization and charset reduction techniques, explained in the next
sections, to infer it.
5.3.2. Booleanization
An attacker can extract the value from attributes using alphabetic or numeric search. The crux
of the idea is to transform a complex value (e.g. a string or a date) into a list of TRUE/FALSE
questions. This mechanism, usually called booleanization, is summarized in figure 13 and can
be applied in many different ways.
Fig. 13. Booleanization
Suppose that the attacker wants to know the value of the department attribute. The process
would be the following:
( & (idprinter=HPLaserJet2100)(department=a*))(objectclass=printer))
Fig. 14. FALSE. Value doesn´t start with ‘a’
Page: 13 of 17
15. LDAP Injection & Blind LDAP Injection
(&(idprinter=HPLaserJet2100)(department=f*))(objectclass=printer))
Fig. 15. TRUE. Value starts with ‘f’
(&(idprinter=HPLaserJet2100)(department=fa*))(objectclass=printer))
Fig. 16. FALSE. Value doesn´t start with ‘fa’
(&(idprinter=HPLaserJet2100)(department=fi*))(objectclass=printer))
Fig. 17. TRUE. Value starts with ‘fi’
Page: 14 of 17
16. LDAP Injection & Blind LDAP Injection
As shown in figure 9, the department value in this example is financial. The first try with the
character ‘a’ does not obtain any printer information (figure 14) therefore, the first character
is not an ’a’. After testing with the rest of the characters, the only one that obtains the normal
behavior from the application is ’f’ (figure 15). Regarding the second character, the only one
that results in the normal operation of the application is ’i’ (figure 17) and so on. Following the
process, the department value can be obtained.
This algorithm can be also used for numeric values. In order to perform this, the
booleanization process should use ‘greater than or equal to’ (>=) and ‘less than or equal to’
(<=) operators.
5.3.3 Charset Reduction
An attacker can use charset reduction to decrease the number of requests needed for obtain
the information. In order to accomplish this, he uses wildcards to test if the given character is
present *anywhere* in the value, e.g.:
(&(idprinter=HPLaserJet2100)(department=*b*))(objectclass=printer))
Fig. 18. FALSE. Character ’b’ is not in the department value
( & (idprinter=HPLaserJet2100)(department=*n*))(objectclass=printer))
Fig. 19. TRUE. Character ’n’ is in the department value
Page: 15 of 17
17. LDAP Injection & Blind LDAP Injection
Figure 18 shows the response web page when the character ’b’ is tested: no results are sent
from the LDAP directory service so no letter ‘b’ is present, but in figure 19 a normal response
web page is shown, meaning that the character ’n’ is in the department value.
Through this process, the set of characters comprising the department value can be obtained.
Once the charset reduction is done, only the characters discovered will be used in the
booleanization process, thereby decreasing the number of requests needed.
6. Securing Applications against Blind LDAP Injection & LDAP Injection
attacks
The attacks presented in the previous sections are performed on the application layer,
therefore firewalls and intrusion detection mechanisms on the network layer have no effect on
preventing any of these LDAP injections. However, general security recommendations for LDAP
directory services can mitigate these vulnerabilities or minimize their impact by applying
minimum exposure point and minimum privileges principles.
Mechanisms used to prevent code injection techniques include defensive programming,
sophisticated input validation, dynamic checks and static source code analysis. The work on
mitigating LDAP injections must involve similar techniques.
It has been demonstrated in the previous sections that LDAP injection attacks are performed
by including special characters in the parameters sent from the client to the server. It is clear
therefore that it is very important to check and sanitize the variables used to construct the
LDAP filters before sending the queries to the server.
In conclusion, we see that parentheses, asterisks, logical (AND “&”, OR “|” and NOT “!”) and
relational (=,>=,<=,~=) operators must be filtered at the application layer.
Whenever possible, values used to construct the LDAP search filter must be checked against a
list of valid values in the Application Layer before sending the query to the LDAP server.
7. References
- “LDAP Injection: Are your Web applications Vulnerable?”, Sacha Faust. SPI Dynamics
URL: http://www.spidynamics.com/support/whitepapers/LDAPinjection.pdf
URL2: http://www.networkdls.com/Articles/LDAPinjection.pdf
- “Blind SQL Injection Automation Techniques”, Cameron Hotchkies, BlackHat Conferences 2004.
URL:https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-
hotchkies.pdf
- “Blind XPath Injection”, Amit Klein. SANCTUM.
URL:http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf
- “Lightweight Directory Access Protocol (LDAP): The Protocol”, J. Sermersheim, RFC 4511.
URL: http://www.rfc-editor.org/rfc/rfc4511.txt
- “LDAP Search Filters”, M. Smith & T. Howes, RFC 4515.
URL: http://www.rfc-editor.org/rfc/rfc4515.txt
- "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map”, K. Zeilenga,
Networking Working Group, LDAP Foundation, RFC, The OpenGroup.
URL: http://www.rfc-editor.org/rfc/rfc4510.txt
Page: 16 of 17
18. LDAP Injection & Blind LDAP Injection
- “Understanding LDAP - Design and Implementation”, Steven Tuttle, Ami Ehlenberger,
Ramakrishna Gorthi, Jay Leiserson, Richard Macbeth, Nathan Owen, Sunil Ranahandola,
Michael Storrs & Chunhui Yang, IBM.
URL: http://www.redbooks.ibm.com/redbooks/pdfs/sg244986.pdf
- “OpenLDAP admin Guide”, OpenLDAP.org.
URL: http://www.openldap.org/doc/admin23/
- “Microsoft Active Directory Technologies”, Microsoft Corporation.
URL:http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/d
efault.mspx
- “Novell E-Directory”, Novell Corporation.
URL: http://www.novell.com/products/edirectory/
- “RedHat Directory Services. RedHat Deployment Guide”, RedHat.
URL: http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/intro.html
- Single Sign-On”, The OpenGroup.
URL: http://www.opengroup.org/security/sso/
- "Oracle Internet Directory: Documentation”,Oracle.
URL: http://www.oracle.com/technology/documentation/oid.html
- “Time-Based Blind SQL Injection using heavy queries”, Chema Alonso, Daniel Kachakil, Rodolfo
Bordón y Antonio Guzmán.
URL: http://www.microsoft.com/technet/community/columns/secmvp/sv0907.mspx
Contact information:
- Chema Alonso
chema@informatica64.com
http://elladodelmal.blogspot.com
Page: 17 of 17