Persistant Cookies and LDAP Injection

Understanding Persistent Cookies
and LDAP injection
A session by:
Maulik Lakhani
Security Analyst and former Team
Lead

Passionate Cybersecurity Analyst working in VAPT, Application Security Assessment domain. Worked as Team
Lead in 2 organizations. Handled team of 15-20 in 3 organizations. Skilled at VAPT of Web, Android and APIs. I
specialize in JS encryption, GraphQL, custom Frida scripts and, root detection bypass, and SafetyNet bypass.
Currently working as SecurityAnalyst 3
at Ernst andYoungGDS
Worked as Associate Information
Security Analyst at Indusface
https://www.linkedin.com/in/mauliklakhani/ https://twitter.com/MaulikxLakhani
Worked as Brand Executive at
Alma Mater Biz Solutions

➢ Outline
Understanding cookies
How persistent cookies work?
Understanding Active Directory and LDAP
How LDAP Injection work?
Questions andAnswer session

SessionCookies
• Temporary cookie files stored in browser memory and never written to disk.
• Gets erased when you close browser. If you go back to the site, it’ll not recognize
you.
Persistent cookies
• Stay on your hard drive (one of your browser's subfolders) until they expire or
get deleted.
➢ Understanding cookies

SessionCookies
• If a cookie does not specify an expiration date, the cookie is removed once the
user quits browser. Hence, these are used for managing sessions.
Persistent cookies
• Have an future expiration date which controls how long they last.
• Cookie setter specifies a deletion date, the cookie will be removed on that
date.
➢ Are both cookies the same?

➢ Use cases for persistent cookies
User identification
User tracking
Menu preferences
Theme selection
Languagepreferences
Persistent cookies enable following functionalities:

➢ How persistent cookies work?
Login
Browser
sets
cookies
Browser is
closed,
session
cookies get
deleted
Persistent
cookies
remain
intact
User visits
the site
again
Persistent
cookies are
sent
Web app
recognizes
the user

➢ How non-persistent cookies work?
public void SetNonPersistentCookies(string name, string value)
{
HttpCookie cookie = new HttpCookie(name);
cookie.Value = value;
Response.Cookies.Add(cookie);
}
Setting up a session cookie in ASP.NET
Function call:
SetNonPersistentCookies(“ASPSESSIONID”,”47a04x3”);

public void SetPersistentCookies(string name, string value)
{
HttpCookie cookie = new HttpCookie(name);
cookie.Value = value;
cookie.Expires = Convert.ToDateTime(“10/10/2020″);
Response.Cookies.Add(cookie);
}
Setting up a persistent cookie in ASP.NET
Function call:
SetPersistentCookies(“UserName”,”Maulik”);
SetPersistentCookies(“Language”,”en-us”);

setcookie("emailCookie",$email, time()+60*60*24*365*10);
PHP code to set a cookie to expire in 10 years:
from django.http.response import HttpResponse
...
def view_method(request):
res = HttpResponse()
res.set_cookie("emailCookie",email, expires=time()+60*60*24*365*10, secure=True, httponly=True)
return res
Python code to set a cookie to expire in 10 years:

➢ Security Impact
Persistent cookies are often set to expire in the distant future.
If private information is stored in persistent cookies, attackers have a larger time window to steal it.
Persistent cookies are often used to profile users as they interact with a site.
Web application functionality might be exploited by manipulating the values of the persistent cookies.
This can lead to session and authorization related vulnerabilities.

➢ How to test
After login, check which cookies are stored as persistent cookies
Analyze the information stored in persistent cookies
Check whether the cookie value is related to a functionality or level of access
Examples: 1) UserID=50 2) isAdmin=true 3) isAdmin=1,
4) functionality=dashboard,account,users
Manipulate the values of the persistent cookies to exploit application functionality.
This can lead to authorization related vulnerabilities: Privilege Escalation, Account Takeover.

➢ Understanding Active Directory
Directory-based identity-related service.
Provides authentication and authorization mechanisms.
A database and set of services that connect users with the network resources
Allows management and storage of information.
Stores data as objects. An object is a single element, such as a user, group, application or device like a
printer.

➢ Understanding Active Directory
OU = Organizational Unit

➢ Understanding LDAP
Lightweight Directory Access Protocol is more efficient, consumes less resources than DAP.
A protocol to query (receive) information from LDAP Server.
LDAP Server stores authentication information such as usernames and passwords.
This allows different applications and services to connect to the LDAP server to validate users.

➢ How does LDAP work
LDAP mechanism is based on DN (distinguished name). It’s like a unique identifier.These are sometimes used to
access resources, like a username.A DN might look like:
▪ CommonOperators:
o “=” (equal to)
o & (logical and)
o | (logical or)
o ! (logical not)
o * (wildcard)
▪ Filters:
cn=RichardFeynman,ou=Physics Department,dc=Caltech,dc=edu
uid=inewton,ou=MathematicsDepartment,dc=Cambridge,dc=com
LDAP queries submitted to the server are known as LDAP
search filters, which are constructed using prefix notation.
o CN = Common Name
o OU = Organizational Unit
o DC = Domain Component
o UID = User ID

➢ How LDAP authentication works
Account holder enters the credentials. LDAP server validates the account credentials.
If credentials are correct, authentication is successful.
login.php?name=admin&password=secret
find("(&(cn=" + username +")(userPassword=" + pass +"))")

➢ LDAP Injection in Authentication

Hey! Does this user exists in your records?
Let me
check…
Checking…
YES!
Alright! then user is valid. I’ll approve
login and assign session ID.Thanks!
Session_ID=A2b4384knb89123g

An example of an LDAP search filter:
This prefix filter notation instructs the query to find an LDAP node with the given username and password.
o If user-controlled values are appended to the LDAP search filter without any validation or sanitization,
a value of ‘*’ changes the intended meaning of the query and returns a list of all users.
▪ Attack Scenario:
o If the username value is set to admin)(&)) the effective search filter becomes:
(&user=admin)(&))(Password=))
The highlighted condition in the above query evaluates to true.The attacker
gains access without having valid password.
o A tester can use a trial-and-error approach, by inserting '(', '|', '&', '*' and the other characters to check
the application for errors.
(&(User=Uname)(Password=Pwd))

Attacker injects a payload
Application accepts the payload, ignores the password.
Performs a search for Admin account.
Upon success authentication; Session will be created. If admin account is present, LDAP server will proceed to bind the
connection, application will think that credentials are correct.

➢ Security Impact
Information disclosure
Authentication bypass
Bypass access controls and gain access to higher privilege accounts
LDAP servers often store information such as users, roles, permissions, and related objects provisioned to them.

Default value is passed here.
|(cn=2F204)(cn=“1FA04”))

These characters need escaping. Hence, they can be used for fuzzing:
• Space (' ')
• Number sign: #
• Double quote: “
• Plus sign: +
• Comma: ,
• Semicolon: ;
• Less than and greater than: < >
• Backward slash:

Payload:
Payload Search Filter
* (attribute=*)
value)(cn=* (attribute=value)(attribute2=*)

➢ Remediation for LDAP Injection
Strictly validate user input.
Allow only alphanumeric strings to be copied into queries, any other input should be rejected.
User input containing LDAP metacharacters like ( ) ; , * | & = “ and whitespace should be rejected.
Use component like LINQ to Active Directory that automatically escapes user input.
Least privilege: Minimize the privileges assigned to the LDAP binding account

➢ Recommended steps:
LDAP Injection:
https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-
parada-WP.pdf
HackThe Box:
Phonebook Challenge:https://app.hackthebox.eu/challenges/phonebook

Persistant Cookies and LDAP Injection

Persistant Cookies and LDAP Injection

More Related Content

What's hot

Similar to Persistant Cookies and LDAP Injection

Recently uploaded

Persistant Cookies and LDAP Injection