Hello All. I am working on RE for LDAP injection. Could anybody explain the structure of the LDAP injection detection rule?
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_40_generic_attacks.conf Its regular expression is the following: (?:\((?:\W*?(?:objectc(?:ategory|lass)|homedirectory|[gu]idnumber|cn)\b\W*?=|[^\w\x80-\xFF]*?[\!\&\|][^\w\x80-\xFF]*?\()|\)[^\w\x80-\xFF]*?\([^\w\x80-\xFF]*?[\!\&\|]) See regular expression visualizer (https://jex.im/regulex) screenshot in the attachment. My questions: 1. What is the purpose of RE after '(' character? Which context is supposed there? I found the following vectors: Alonso-Parada vectors: foo)(sn=100 foo)(&) documents)(security_level=*))(&(directory=documents printer)(uid=*) printer)(department=fa*) printer)(department=*fa*) *)(objectClass=*))(&(objectClass=void *)(objectClass=users))(&(objectClass=foo void)(objectClass=users))(&(objectClass=void) Exploit DB: ka0x)(|(homedirectory=*) 5faa0382d747b754)(sn=* 5faa0382d747b754)!(sn=* Burp: eb9adbd87d)(sn=* eb9adbd87d)!(sn=* *)(sn=* *)!(sn=* 2. Some trivial LDAPi vectors are not detected. For example, printer)(uid=*) from Alonso-Parada slides https://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf Thanks. -- Sincerely, Denis Kolegov @dnkolegov
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
