Lightweight Directory Access Protocol (LDAP) injection

OWASP 2013-A1 OWASP 2017-A1 CWE-20 WASC-29 CAPEC-136 WSTG-INPV-06

Lightweight Directory Access Protocol injection is a type of security exploits used to compromise the authentication process used by many websites. LDAP directories present in websites using LDAP stores information as objects. The LDAP objects include people, servers, printers and roles. If the directory is used for web application’s authentication, the attacker can enter malicious code into the user input field. This action by the attacker will gain him, an unauthorised access to the directory, view and change usernames and passwords. LDAP injection is similar to SQL injection because both injection techniques can be exploited because of unsanitised input. There are servers that fail to properly sanitise user input, the attacker can modify LDAP statements using a local proxy resulting in the execution of malicious commands such as granting permissions to unauthorised queries and content modification inside the LDAP tree.

An application can be exploited using LDAP injection because of the following factors:-

  • Use of Unsafe and parameterised LDAP query interface.
  • unnecessary use of LDAP authentication for users.

Impact

LDAP injection can be used to access information on users, their roles, their permissions and many more. If this information is released, the application may have catastrophic effects on the server.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use the correct LDAP encoding function for escaping the variables.
  • Try to use frameworks for protecting the application from LDAP injection.
  • Implement least privilege to LDAP binding account present in the application.
  • Use a whitelisted input validation technique to protect the server.

Related Articles