0

A recent scan of a .net web application detected an ldap injection vulnerability for a field that was used for a username assigned to an instance of a custom class named User.

After stepping through the code, I found that the User instance was given the System.Security.Principal.WindowsPrincipal instance, and did in fact send an authentication request for the supplied username to the hosting computer's IIS server, appearing as a logon event in the Security logs.

I haven't yet been able to consistently get a response for the injection for both positive and negative ldap query results, but it seems very possible, and I'm working to get another scan with the same results, having some trouble, but haven't reached a wall yet.

Validating against a whitelist will prevent the classObject string from being injected, but I think using the User string in .net shouldn't be done for this reason, however I'm also wondering about the System.Security.Principal.WindowsPrincipal namespace being an ldap injection vulnerability itself.

Are there anyways to prevent this besides whitelist validation, but still allow for using System namespace to exist in a .cs file. Or should the User classes intended to be custom, be changed to another string?

Rajesh Dhiman
  • 105
  • 3
tuson
  • 109
  • 8

1 Answers1

1

I can infer from your question that you are using a SPNEGO LDAP Web Server Delegation Authentication scenario.

  • This means you shouldn't be allowing anonymous authentication in IIS, since you're delegating into IIS to authenticate the user you have no choice on your app but to accept whatever answer IIS gives you. If you have anonymous authentication it might be possible for a user to claim to be someone that he is not.

  • Also, usually System.Security.Principal.WindowsPrincipal is used to know what user is running the application and System.Web.HttpContext.User is the right object to identify the user logged in through the web request.

This analysis might be way off, I would need to see application pool configuration, IIS configuration and authentication module implementation details to be sure of what is going on.

Sandokas
  • 281
  • 1
  • 5
  • Thank you. In regards to the WindowsPrinciple, this is what the hover description gave the instance of User during debugging which seems odd considering your information. I'm going to check out the configs for IIS. I'm also going to see if I can debug the core library to see why the User instance is being created automatically. Thanks for your answer, and to the person that cleaned up my question's format. – tuson Feb 27 '14 at 21:01