These docs are for v1.1. Click to read the latest docs for v1.2.

LDAP Error

Severity: Medium
Test name: LDAP Injection
Summary

LDAP Injection is an attack used to exploit web applications that construct LDAP statements based on improperly sanitized user input.
An application on the server side can send a request to enter the LDAP server with specific filter parameters. The LDAP server is a gateway to sensitive and valuable information such as user credentials, staff names and roles, networks, devices, phone numbers, etc.
LDAP Error is the vulnerability type which relies on error messages thrown by the server to obtain information about the targets. Using the error message, an attacker can reveal the structure and change the construction of the LDAP statement so that they can successfully perform the LDAP injection.

Impact

This vulnerability may lead to the following:

  • Bypass authentication. An attacker can gain access without password checking.
  • Information disclosure. An attacker can gain a list of some resources or users.
  • Attribute disclosure. An attacker can check if an attribute exists.
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  • Escape all variables using the right LDAP encoding function.
  • Wherever possible, use the whitelist approach for input validation. Additional input validation can be used to detect unauthorized input before it is passed to the LDAP query.
  • Use the frameworks that automatically protect against the LDAP Injection (like LINQtoAD for .NET).
  • To decrease the potential damage of a successful LDAP injection, you should minimize the privileges assigned to the LDAP binding account in your environment.
Classifications
  • CWE-90
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
References