LDAP Injection Overview

LDAP Injection attacks are not as common as the other types of injection attacks, but if your product uses an LDAP server this must be tested. An LDAP Injection could occur anywhere that the underlying code could use some type of input for any ldap searches, queries, or any other ldap function.
Example of what an LDAP injection attack could look like.

Take for example, a page that has a search box to search for users in an application. This search box could ask for a username. The underlying code would take this search query information and generate the LDAP query that will be used to search the ldap database.

For example
Enter the name to search for

Following the LDAP search query syntax, a developer attempts to narrow down the ldap query for performance. And the underlying code might perform something similar to the following
String ldapSearchQuery = “(cn=” + $username + “)”;
System.out.println(ldapSearchQuery);

If the variable $username is not validated to be an accurate and valid possible username, an ldap injection could be possible. Take for example the following types of situations

* What if the user puts an * for the search. This will return every username in the ldap database
* What if the user puts in an joe)(|(password=*). This will create a ldap search query like (cn=joe)(|(password=*) ) Which would return the users joe password.

There are all sorts of other possibilities as to what could be used with ldap injection vulnerabilities. If you are testing a software application that uses an ldap server on the backend, you must become familiar with the ldap searching syntax and what the possible ldap searches you can perform with it.
How do you fix the LDAP Injection vulnerability?

Input validation!!! The underlying code needs to verify the correct input using a white list. If the input is verified against a white list using a regular expression then the input could be rejected and the end user would need to input the correct data. Don’t let a malicious user mis-use your application. Verify that the input is validated and that there is not the ability to inject additional ldap information, especially the () | * characters.

Explore More

Hacking Your Computer – Physical Access is Total Access

Hacking Your Computer – Physical Access is Total Access Table of Contents -Disclaimer -Introduction Part 1: Gaining Access -LiveCDs -Windows Option 1: Cracking the Password -Windows Option 2: Circumventing the

Read More

How Can You Protect Yourself from Google Hacking?

The first step for protecting yourself from something is knowing how that something works. In the case of Google hacking, you will have to learn how it can be used

Read More

Critical SQL Injection in All About Myanmar

PlanetCreator reported another Critical SQL injection (vulnerability) on All About Myanmar (Beta) URL : http://www.allaboutmyanmar.com/ SQL injection is a code injection technique that exploits a security vulnerability occurring in the

Read More