search

zaproxy / zaproxy

The ZAP core project
https://www.zaproxy.org
Apache License 2.0
12.51k stars 2.24k forks source link

LDAP Injection #8519

Closed jitendra-90 closed 1 month ago

jitendra-90 commented 3 months ago

Describe the bug

Getting LDAP Injection High alert on the url while that url is not exists in the application. Request: _GET https://pentestingapp.azurewebsites.net/.git HTTP/1.1 host: pentestingapp.azurewebsites.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Cookie: ARRAffinity=92ca53ad8db4fbb93d4d3b7d8ab54dcf8ffecb2d731f25b0e91ad575d7534c3f; ARRAffinitySameSite=92ca53ad8db4fbb93d4d3b7d8ab54dcf8ffecb2d731f25b0e91ad575d7534c3f; .AspNetCore.Antiforgery.9fXoN5jHCXs=CfDJ8M0wyS_0YC9LvkHdMgGLGWWEa3FAHQnn9HNKGFQKItdoqLfFH7AvDEj6MuoXQMG3IYxE9fZUjTmbCv_EXAOn4fHmbzZIDeL08kO7Q4CK2m3WPUfonOU80xbVAUO2oJ5SthRBxClrcJtIhC0OA5IcYI; Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=1 x-zap-scan-id: 40035 Response: HTTP/1.1 404 Not Found Content-Length: 0 Date: Thu, 13 Jun 2024 00:04:31 GMT Server: Microsoft-IIS/10.0 Strict-Transport-Security: max-age=2592000 Request-Context: appId=cid-v1:f91cc84e-d41a-464a-b202-cd5c7d2d81bd Cross-Origin-Resource-Policy: same-site X-Frame-Options: SAMEORIGIN Content-Security-Policy: script-src 'self' X-Powered-By: ASP.NET

Steps to reproduce the behavior

Not Reproduced

These type of urls I am getting this alert GET: https://pentestingapp.azurewebsites.net/.git GET: https://pentestingapp.azurewebsites.net/.idea GET: https://pentestingapp.azurewebsites.net/.ssh GET: https://pentestingapp.azurewebsites.net/.svn

Expected behavior

Not Reproduced

Software versions

2.15.0

Screenshots

No response

Errors from the zap.log file

No response

Additional context

No response

Would you like to help fix this issue?

kingthorin commented 3 months ago

What are the details of the alert? What’s the response content of the message associated with the alert?

psiinon commented 3 months ago

We definitely need more details. Ideally the full (redacted) alert, but at the very least the evidence.

jitendra-90 commented 3 months ago

Alert Name: LDAP Injection URL: https://pentestingapp.azurewebsites.net/.git Risk: High Confidence: Medium Parameter: Host Attack: Equivalent LDAP expression: [pentestingapp.azurewebsites.net)(objectClass=]. Random parameter: [wrhap49idji0re6og0e7b9vw7r9pr2a]. Evidence: CWE ID: 90 WASC ID: 29 Source: Active (40015 - LDAP Injection) Input Vector: HTTP Header Description: LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory. Other Info: parameter [host] on [GET] [https://pentestingapp.azurewebsites.net/.git] may be vulnerable to LDAP injection, by using the logically equivalent expression [pentestingapp.azurewebsites.net)(objectClass=], and FALSE expression [wrhap49idji0re6og0e7b9vw7r9pr2a]. Solution: Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be deny listed: & |

jitendra-90 commented 3 months ago

I have shared whole information of this alert.