LDAP Injection Overview
LDAP Injection attacks are not as common as the other types of injection attacks, but if your product uses an LDAP server this must be tested. An LDAP Injection could occur anywhere that the underlying code could use some type of input for any ldap searches, queries, or any other ldap function.
Example of what an LDAP injection attack could look like.
Take for example, a page that has a search box to search for users in an application. This search box could ask for a username. The underlying code would take this search query information and generate the LDAP query that will be used to search the ldap database.
For example
Enter the name to search for
Following the LDAP search query syntax, a developer attempts to narrow down the ldap query for performance. And the underlying code might perform something similar to the following
String ldapSearchQuery = “(cn=” + $username + “)”;
System.out.println(ldapSearchQuery);
If the variable $username is not validated to be an accurate and valid possible username, an ldap injection could be possible. Take for example the following types of situations
* What if the user puts an * for the search. This will return every username in the ldap database
* What if the user puts in an joe)(|(password=*). This will create a ldap search query like (cn=joe)(|(password=*) ) Which would return the users joe password.
There are all sorts of other possibilities as to what could be used with ldap injection vulnerabilities. If you are testing a software application that uses an ldap server on the backend, you must become familiar with the ldap searching syntax and what the possible ldap searches you can perform with it.
How do you fix the LDAP Injection vulnerability?
Input validation!!! The underlying code needs to verify the correct input using a white list. If the input is verified against a white list using a regular expression then the input could be rejected and the end user would need to input the correct data. Don’t let a malicious user mis-use your application. Verify that the input is validated and that there is not the ability to inject additional ldap information, especially the () | * characters.