LDAP Injection Overview

LDAP Injection attacks are not as common as the other types of injection attacks, but if your product uses an LDAP server this must be tested. An LDAP Injection could occur anywhere that the underlying code could use some type of input for any ldap searches, queries, or any other ldap function.
Example of what an LDAP injection attack could look like.

Take for example, a page that has a search box to search for users in an application. This search box could ask for a username. The underlying code would take this search query information and generate the LDAP query that will be used to search the ldap database.

For example
Enter the name to search for

Following the LDAP search query syntax, a developer attempts to narrow down the ldap query for performance. And the underlying code might perform something similar to the following
String ldapSearchQuery = “(cn=” + $username + “)”;
System.out.println(ldapSearchQuery);

If the variable $username is not validated to be an accurate and valid possible username, an ldap injection could be possible. Take for example the following types of situations

* What if the user puts an * for the search. This will return every username in the ldap database
* What if the user puts in an joe)(|(password=*). This will create a ldap search query like (cn=joe)(|(password=*) ) Which would return the users joe password.

There are all sorts of other possibilities as to what could be used with ldap injection vulnerabilities. If you are testing a software application that uses an ldap server on the backend, you must become familiar with the ldap searching syntax and what the possible ldap searches you can perform with it.
How do you fix the LDAP Injection vulnerability?

Input validation!!! The underlying code needs to verify the correct input using a white list. If the input is verified against a white list using a regular expression then the input could be rejected and the end user would need to input the correct data. Don’t let a malicious user mis-use your application. Verify that the input is validated and that there is not the ability to inject additional ldap information, especially the () | * characters.

Explore More

How to Remove Windows Genuine Advantage Notifications

Windows genuine advantage notifications occur when your computer hasn’t passed the validation test. The validation test can be failed due to being sold a pirated (non-genuine) copy of XP, or

Read More

Hard disk data recovery – Recover from damaged disk? Wipe out the harddisk to avoid spying

Think of the time you take to copy a 1 GB file to the hard disk drive and the time taken to delete the same file. Doesn’t it take very

Read More

Tips and Tricks about Gmail

While Web-based email is nothing new, Gmail introduces some new and unique concepts. Managing email has become very easy while at the same time having powerful tools to find and

Read More