Lightweight Directory Access Protocol (LDAP) injection

Febna V M
Published on
24 Jun 2018
1 min read

Lightweight Directory Access Protocol injection is a type of security exploits used to compromise the authentication process used by many websites. LDAP directories present in websites using LDAP stores information as objects. The LDAP objects include people, servers, printers and roles. If the directory is used for web application’s authentication, the attacker can enter malicious code into the user input field. This action by the attacker will gain him, an unauthorised access to the directory, view and change usernames and passwords. LDAP injection is similar to SQL injection because both injection techniques can be exploited because of unsanitised input. There are servers that fail to properly sanitise user input, the attacker can modify LDAP statements using a local proxy resulting in the execution of malicious commands such as granting permissions to unauthorised queries and content modification inside the LDAP tree.

An application can be exploited using LDAP injection because of the following factors:-

  • Use of Unsafe and parameterised LDAP query interface.
  • unnecessary use of LDAP authentication for users.


LDAP injection can be used to access information on users, their roles, their permissions and many more. If this information is released, the application may have catastrophic effects on the server.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use the correct LDAP encoding function for escaping the variables.
  • Try to use frameworks for protecting the application from LDAP injection.
  • Implement least privilege to LDAP binding account present in the application.
  • Use a whitelisted input validation technique to protect the server.
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Febna V M
Febna V M
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.