LDAP Injection
What is LDAP Injection?
LDAP injection is a type of security vulnerability that allows attackers to exploit an application's interaction with Lightweight Directory Access Protocol (LDAP) servers.
This occurs when an application fails to properly sanitize user input and includes untrusted data in an LDAP query, allowing attackers to inject malicious code or modify the intended behavior of the query.
LDAP injection can affect various types of applications that interact with LDAP servers, such as web applications, directory services, and authentication systems.
Attackers can use various techniques, such as crafted search queries, filter values, or search base paths, to inject malicious code or entities into the application.
Check out this video for a high-level explanation:
What is the impact of LDAP Injection?
LDAP injection can lead to various security threats and risks, such as:
- Information disclosure: LDAP injection can expose sensitive information, such as user data, login credentials, or other types of confidential information, to unauthorized parties.
- Unauthorized access: LDAP injection can allow attackers to gain unauthorized access to LDAP servers, perform unauthorized actions, or modify data.
- Denial-of-service: LDAP injection can cause denial-of-service (DoS) attacks by injecting malicious queries or values that consume system resources, such as CPU or memory, leading to system crashes or slowdowns.
How to prevent LDAP Injection?
To prevent LDAP injection, it is important to follow security best practices and implement appropriate security measures, such as:
- Use input validation: Validate user input to ensure that it is safe and does not contain malicious code or characters that can be used for injection attacks.
- Use parameterized queries: Use parameterized queries and other secure coding practices to ensure that user input is properly sanitized and not used to construct LDAP queries directly.
- Use secure LDAP libraries and frameworks: Use secure LDAP libraries and frameworks that support secure LDAP queries and provide additional security features, such as input validation and parameterized queries.
- Limit LDAP server access: Limit access to LDAP servers to authorized users and restrict access to sensitive information and actions.
References
Taxonomies
- OWASP Top 10 - A03 Injection
- CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Explanation & Prevention
- OWASP: LDAP Injection
- OWASP: LDAP Injection Cheat Sheet
- WASC-29: LDAP Injection
- LDAP Injection Guide: Learn How to Detect LDAP Injections and Improve LDAP Security