Every pen tester looks forward to that next encounter that includes one of those uncommon vulnerabilities that ultimately result in an exciting session of exploration and learning. During a recent web penetration test I ran across one of these rare gems when I started seeing some odd behavior on a forgot password form. In this case I was fortunate to be working virtually across the table from a development team member who could verify our hypotheses by reading through the code.
more here...........http://blog.secureideas.com/2015/02/adventures-in-ldap-injection-exploiting.html
more here...........http://blog.secureideas.com/2015/02/adventures-in-ldap-injection-exploiting.html