[Owasp-modsecurity-core-rule-set] LDAP injection rule

Achim achim at owasp.org
Wed Jan 13 21:03:18 UTC 2016


Hi Denis,

the round brackets in RE are used to group, in particular to group variants.
If they should be a literal character, they need to be escaped with a 
\ (backslash).

Said this, you see both usages -- ( as grouping meta character, and \( as
literal character -- in your visualized picture. You see the literal \( 
one only, but not the grouping ( in the picture.

In LDAP round brackets are a core syntax element.

Does this help?
Achim



On 13.01.2016 12:21, Denis Kolegov wrote:
> Hello All.
> 
> I am working on RE for LDAP injection.
> Could anybody explain the structure of the LDAP injection detection rule?
> 
> https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf
> 
> Its regular expression is the following:
> 
> (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])
> 
> See regular expression visualizer (https://jex.im/regulex) screenshot  in
> the attachment.
> 
> My questions:
> 
> 1.  What is the purpose of RE after '(' character? Which context is
> supposed there?
> 
> I found the following vectors:
> 
> Alonso-Parada vectors:
> 
> foo)(sn=100
> foo)(&)
> documents)(security_level=*))(&(directory=documents
> printer)(uid=*)
> printer)(department=fa*)
> 
> printer)(department=*fa*)
> *)(objectClass=*))(&(objectClass=void
> *)(objectClass=users))(&(objectClass=foo
> void)(objectClass=users))(&(objectClass=void)
> 
> 
> Exploit DB:
> 
> ka0x)(|(homedirectory=*)
> 5faa0382d747b754)(sn=*
> 5faa0382d747b754)!(sn=*
> 
> Burp:
> 
> eb9adbd87d)(sn=*
> eb9adbd87d)!(sn=*
> *)(sn=*
> *)!(sn=*
> 
> 
> 
> 2.  Some trivial LDAPi vectors are not detected. For example,
> 
> printer)(uid=*)
> 
> from Alonso-Parada slides
> https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
> 
> Thanks.
> 
> 
> 
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> 


More information about the Owasp-modsecurity-core-rule-set mailing list