[Owasp-modsecurity-core-rule-set] LDAP injection rule

Denis Kolegov d.n.kolegov at gmail.com
Wed Jan 13 22:58:59 UTC 2016


Hi.

It seems my question was not clear.
I asked about logic of regular expression.

What is a purpose of first part of RE where it checks string beginning with
'('?

(?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\())

Thanks.
---
Denis Kolegov
14 Янв 2016 г. 3:18 пользователь "Achim" <achim at owasp.org> написал:

> Hi Denis,
>
> the round brackets in RE are used to group, in particular to group
> variants.
> If they should be a literal character, they need to be escaped with a
> \ (backslash).
>
> Said this, you see both usages -- ( as grouping meta character, and \( as
> literal character -- in your visualized picture. You see the literal \(
> one only, but not the grouping ( in the picture.
>
> In LDAP round brackets are a core syntax element.
>
> Does this help?
> Achim
>
>
>
> On 13.01.2016 12:21, Denis Kolegov wrote:
> > Hello All.
> >
> > I am working on RE for LDAP injection.
> > Could anybody explain the structure of the LDAP injection detection rule?
> >
> >
> https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf
> >
> > Its regular expression is the following:
> >
> >
> (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|])
> >
> > See regular expression visualizer (https://jex.im/regulex) screenshot
> in
> > the attachment.
> >
> > My questions:
> >
> > 1.  What is the purpose of RE after '(' character? Which context is
> > supposed there?
> >
> > I found the following vectors:
> >
> > Alonso-Parada vectors:
> >
> > foo)(sn=100
> > foo)(&)
> > documents)(security_level=*))(&(directory=documents
> > printer)(uid=*)
> > printer)(department=fa*)
> >
> > printer)(department=*fa*)
> > *)(objectClass=*))(&(objectClass=void
> > *)(objectClass=users))(&(objectClass=foo
> > void)(objectClass=users))(&(objectClass=void)
> >
> >
> > Exploit DB:
> >
> > ka0x)(|(homedirectory=*)
> > 5faa0382d747b754)(sn=*
> > 5faa0382d747b754)!(sn=*
> >
> > Burp:
> >
> > eb9adbd87d)(sn=*
> > eb9adbd87d)!(sn=*
> > *)(sn=*
> > *)!(sn=*
> >
> >
> >
> > 2.  Some trivial LDAPi vectors are not detected. For example,
> >
> > printer)(uid=*)
> >
> > from Alonso-Parada slides
> >
> https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
> >
> > Thanks.
> >
> >
> >
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20160114/f1ece350/attachment-0001.html>


More information about the Owasp-modsecurity-core-rule-set mailing list