These docs are for v1.1. Click to read the latest docs for v1.2.

LDAP Injection

Suggest Edits
Severity: High
Test name: LDAP Injection
Summary

LDAP injection is an attack used to exploit web applications that construct LDAP statements based on improperly sanitized user input. An application on the server side can send a request to enter the LDAP server with specific filter parameters. The LDAP server is a gateway to sensitive and valuable information such as user credentials, staff names and roles, networks, devices, phone numbers, etc.

Impact

This vulnerability may lead to the following:

  • Bypass authentication. An attacker can gain access without password checking.
  • Information disclosure. An attacker can gain a list of some resources or users.
  • Attribute disclosure. An attacker can check if an attribute exists.
Example

Example 1

  1. In a web application, we have the following LDAP statement for authorization:
(&(user=username)(password=pass))
  1. If an attacker sends user=realUserName)(&) and any value for password like:
(&(user=realUserName)(&))(password=randomPassword))
  1. LDAP will process only this part (&(user=realUserName)(&). This query is always correct, so the attacker enters the system without a true password.

Example 2

  1. There is a LDAP statement where resource1 and resource2 are input parameters:
(|(resource=resource1)(resource=resource2))
  1. The LDAP query was changed like: resource = resource1)(userId=*)
(|(resource=resource1)(userId=*))(resource=resource2))
  1. The server will ignore the part (resource=resource2) (only the first complete filter is processed). As a result, it will list all the resources that correspond to “resource1" and additionally all user objects.
Location

The issue can be found in the source code on the server side.

Remedy suggestions
  • Escape all variables using the right LDAP encoding function.
  • Wherever possible, use the whitelist approach for input validation. Additional input validation can be used to detect unauthorized input before it is passed to the LDAP query.
  • Use the frameworks that automatically protect against the LDAP Injection (like LINQtoAD for .NET).
  • To decrease the potential damage caused by a successful LDAP injection, you should minimize the privileges assigned to the LDAP binding account in your environment.
Classifications
  • CWE-90
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References

Updated almost 2 years ago