LDAP Injection Attack — TryHackMe Walkthrough

Описание: TryHackMe's Web App PenTest -- LDAP Injection:
https://tryhackme.com/room/ldapinjection

Welcome to inphuseclab! In this episode, we delve into LDAP injection, a critical security vulnerability. We start with an overview of LDAP (Lightweight Directory Access Protocol) and its role in managing user identities within organizations. The script covers key components such as LDAP tree structures, distinguished names, attributes, and search queries. We then explore LDAP injection, discussing its impact, how it's exploited, and methods to identify and mitigate these vulnerabilities. Examples include authentication bypass tactics, wildcard injections, and Boolean-based blind LDAP injections. To conclude, we review best practices for safeguarding applications against LDAP injection by sanitizing user input and avoiding the inclusion of user-controllable data in LDAP queries. Tune in to arm yourself with the knowledge to enhance your cybersecurity defenses!

00:00 Introduction
01:16 Structure
03:39 Search queries
08:16 Injection Fundamentals
11:00 Exploiting LDAP
18:21 Blind LDAP Injection