LDAP injection

From HandWiki

In computer security, LDAP injection is a code injection technique used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores.[1][2][3] LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement.

Technical Implementation

LDAP injection occurs when user input is not properly sanitized and then used as part of a dynamically generated LDAP filter. This results in potential manipulation of the LDAP statements performed on the LDAP server to either view, modify, or bypass authentication credentials.[1]

Prevention

LDAP injection is a known attack and can be prevented by simple measures. All of the client supplied input must be checked/sanitized of any characters that may result in malicious behavior. The input validation should verify the input by checking for the presence of special characters that are a part of the LDAP query language, known data types, legal values, etc.[2] White list input validation can also be used to detect unauthorized input before it is passed to the LDAP query.

Example

In the below example a query is constructed to validate a user's credentials for the purpose of logging in.

String filter = “(&(USER = ” + user_name + “) (PASSWORD = “ + user_password + “))”;

In a typical use case, a user would provide their user credentials and this filter would be used to validate these credentials. However, an attacker can enter a crafted input for the variable user_name such as johnDoe)(&) and any value for password. The finished query will then become (&(USER = johnDoe)(&))(PASSWORD = pass)). Only the first portion of this query is processed by the LDAP server (&(USER = johnDoe)(&), which always evaluates to true allowing the attacker to gain access to the system without needing to provide valid user credentials.

See also

References

  1. 1.0 1.1 Alonso, J. M.; Bordon, R.; Beltran, M.; Guzman, A. (1 November 2008). "LDAP injection techniques". 2008 11th IEEE Singapore International Conference on Communication Systems. pp. 980–986. doi:10.1109/ICCS.2008.4737330. ISBN 978-1-4244-2423-8. 
  2. 2.0 2.1 "The Web Application Security Consortium / LDAP Injection". http://projects.webappsec.org/w/page/13246947/LDAP%20Injection. Retrieved 9 December 2016. 
  3. Varanasi, Balaji (2013-11-26) (in en). Practical Spring LDAP: Enterprise Java LDAP Development Made Easy. Apress. p. 97. ISBN 978-1-4302-6398-2. https://books.google.com/books?id=cTrRAQAAQBAJ&pg=PA97. Retrieved 9 December 2016.