LDAP Injection Overview

LDAP Injection attacks are not as common as the other types of injection attacks, but if your product uses an LDAP server this must be tested. An LDAP Injection could occur anywhere that the underlying code could use some type of input for any ldap searches, queries, or any other ldap function.
Example of what an LDAP injection attack could look like.

Take for example, a page that has a search box to search for users in an application. This search box could ask for a username. The underlying code would take this search query information and generate the LDAP query that will be used to search the ldap database.

For example
Enter the name to search for

Following the LDAP search query syntax, a developer attempts to narrow down the ldap query for performance. And the underlying code might perform something similar to the following
String ldapSearchQuery = “(cn=” + $username + “)”;
System.out.println(ldapSearchQuery);

If the variable $username is not validated to be an accurate and valid possible username, an ldap injection could be possible. Take for example the following types of situations

* What if the user puts an * for the search. This will return every username in the ldap database
* What if the user puts in an joe)(|(password=*). This will create a ldap search query like (cn=joe)(|(password=*) ) Which would return the users joe password.

There are all sorts of other possibilities as to what could be used with ldap injection vulnerabilities. If you are testing a software application that uses an ldap server on the backend, you must become familiar with the ldap searching syntax and what the possible ldap searches you can perform with it.
How do you fix the LDAP Injection vulnerability?

Input validation!!! The underlying code needs to verify the correct input using a white list. If the input is verified against a white list using a regular expression then the input could be rejected and the end user would need to input the correct data. Don’t let a malicious user mis-use your application. Verify that the input is validated and that there is not the ability to inject additional ldap information, especially the () | * characters.

Explore More

Useful Free Windows Programs Under 2MB

Belarc AdvisorBuilds a detailed profile of your installed software and hardware and displays the results in your Web browser. ShowIPShows ones Private and Public IP address and alerts you of

Read More

Devilzc0de SQL Injection Tool (mysql&mssql)

Ok guys welcome to new product from Devilzc0de, this time we dedicate this all in one sql injection tool for you.So.. what is devilzc0desql? this is a very sophisticated sql

Read More

How to Hack Windows XP Computer Passwords

1. Know that if you are still logged on to the Administrator account you can change user profiles using the following steps. * Go to the green “Start Button” and

Read More