Test name: LDAP Injection
LDAP injection is an attack used to exploit web applications that construct LDAP statements based on improperly sanitized user input. An application on the server side can send a request to enter the LDAP server with specific filter parameters. The LDAP server is a gateway to sensitive and valuable information such as user credentials, staff names and roles, networks, devices, phone numbers, etc.
This vulnerability may lead to the following:
- Bypass authentication. An attacker can gain access without password checking.
- Information disclosure. An attacker can gain a list of some resources or users.
- Attribute disclosure. An attacker can check if an attribute exists.
- In a web application, we have the following LDAP statement for authorization:
- If an attacker sends
user=realUserName)(&)and any value for password like:
- LDAP will process only this part
(&(user=realUserName)(&). This query is always correct, so the attacker enters the system without a true password.
- There is a LDAP statement where
resource2are input parameters:
- The LDAP query was changed like:
resource = resource1)(userId=*)
- The server will ignore the part
(resource=resource2)(only the first complete filter is processed). As a result, it will list all the resources that correspond to “resource1" and additionally all user objects.
The issue can be found in the source code on the server side.
- Escape all variables using the right LDAP encoding function.
- Wherever possible, use the whitelist approach for input validation. Additional input validation can be used to detect unauthorized input before it is passed to the LDAP query.
- Use the frameworks that automatically protect against the LDAP Injection (like LINQtoAD for .NET).
- To decrease the potential damage caused by a successful LDAP injection, you should minimize the privileges assigned to the LDAP binding account in your environment.
Updated over 1 year ago