LDAP injection is a security vulnerability that allows attackers to manipulate LDAP queries through user input, potentially leading to unauthorized access and information disclosure. If user input is not properly validated, it can bypass access controls, expose sensitive information, or compromise the entire system. Preventative measures include input sanitization, using safe framework encoding functions, and applying whitelist validation.

1. LDAP injection
OWASP Web App Top 10
by Secure Code Warrior Limited is licensed under CC BY-ND 4.0

2. What is it?
“LDAP injection” is a vulnerability by
which an attacker can influence
back-end LDAP queries by injecting
malicious LDAP statements via user
controllable input.
What causes it?
User input is used to dynamically
build LDAP queries. If this input is
not first validated, the LDAP query
interpreter can be tricked into
running arbitrary queries.
What could happen?
Sensitive information about users
and hosts represented in the LDAP
tree could be disclosed, modified,
inserted or deleted. LDAP injection
could be used to bypass access
control. This weakness could lead
to full system compromise.
How to prevent it?
User-input (GET and POST parameters,
cookies, other HTTP headers) that is being
used as part of an LDAP query should be
sanitized first. Using safe framework
encoding functions is preferred. Apply
white list validation.

3. directorySearcher = DirectorySearcher new.
directorySearcher.setLDAPFilter=
(&(Username=admin)(&))(Password=ignored)) ;
results = searcher.findAll();Username: admin)(&)), Password: ignored
LDAP injection
Understanding the security vulnerability
Web Server LDAP Server
Directory entry for ‘admin’Set-cookie: jsessionid=
FUHOJFB0I4BW121X7281
Authentication bypass
The submitted input changes the
logic of the query. Because of the
additional true statement (&), the
password condition will be ignored.
The session cookie is
returned to the browser;
the attacker is now logged
in as administrator.
The vulnerability is exploited in
order to gain control to an
account without providing a
valid password.
An attacker submits input
values that will take advantage
of a backend LDAP query used
to query users and passwords.
admin)(&))
*******

4. User information portal, welcome!
Search user with name:
(uid=*)/ldap-search?user=*
LDAP injection
Understanding the security vulnerability
Web Server LDAP Server
Return all user records
Information disclosure
The submitted input changes
the logic of the query: the
wildcard statement will query
all users in the LDAP tree.
The vulnerability is
exploited in order to gain
detailed information
about all the users in the
LDAP tree.
An attacker submits input
values that will take
advantage of the query.
*
User info for: ‘john doe’
cn: john doe
mail: johndoe@domain.com
-
User info for: ‘jane dee’
cn: jane dee
mail: janedee@domain2.com
-
User info for: …

5. LDAP injection
Realizing the impact
LDAP injection can result in information about users
and hosts to be disclosed, modified, or inserted.
Sensitive data could get exposed,
leading to privacy issues.
Administrator access control could be
bypassed, leading to full system compromise
and cause reputational and financial damages.

6. LDAP injection
Preventing the mistake
Escape variables used in LDAP queries.
Use framework provided functions when available.
Use LDAP injection resistant frameworks.
Automatic LDAP encoding.
Apply white list input validation.
Use framework provided functions when available.
Minimize LDAP binding account privileges.
See also “Least Privilege”