LDAP Injection Vulnerability, Explained

LDAP or Lightweight Directory Access Protocol is a methodology designed to read data in a directory, file or device. This is actually a directory access service which, for instance, can be used to provide information about a user who is trying to login as part of a single-sign-on, SSO process.

Common uses of LDAP is to provide centralised authentication, so, it can be used to validate the users to allow access to restricted modules of any application. LDAP's main job is to extract information in a usable format from an Active Directory(AD), which is a domain controller containing huge, cryptic data. LDAP uses a simple, string based query to extract information from the AD.

LDAP injection is a vulnerability where query statements are created from unreliable inputs which are not properly sanitized or validated. This uses special characters as input parameters. Those characters affect the type and number of objects that can be retrieved from the AD. If the malicious user can submit the input containing those special characters, they can alter the query and change the desired behaviour.

The queries that are submitted to teh server are known as LDAP search filters. They are constructed using prefix notation. This notation goes to the server and if not properly sanitized or validated can change the meaning of the query and return all the users in the AD. Special characters like "*" can create other malicious queries as well. There are a lot many LDAP injection loopholes that can be executed on a vulnerable server.

How to prevent LDAP injection:

• Strong input validation
• Escape input with encoding
• Strict directory authorization