LDAP Injection
   HOME

TheInfoList



Click Here for Items Related To - LDAP Injection
OR:
LDAP Injection on:   [Wikipedia]   [Google]   [Amazon]

In
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
, LDAP injection is a
code injection Code injection is a computer security exploit where a program fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An attacker using this method "injects" code into the program whi ...
technique used to exploit
web application A web application (or web app) is application software that is created with web technologies and runs via a web browser. Web applications emerged during the late 1990s and allowed for the server to dynamically build a response to the request, ...
s which could reveal sensitive user information or modify information represented in the
LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed Directory service, directory information services over an Internet Protocol (IP) networ ...
(Lightweight Directory Access Protocol) data stores. LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement.


Technical implementation

LDAP injection occurs when user input is not properly sanitized and then used as part of a dynamically generated LDAP filter. This results in potential manipulation of the LDAP statements performed on the LDAP server to either view, modify, or bypass authentication credentials.


Prevention

LDAP injection is a known attack and can be prevented by simple measures. All of the client supplied input must be checked/sanitized of any characters that may result in malicious behavior. The input validation should verify the input by checking for the presence of special characters that are a part of the LDAP query language, known data types, legal values, etc. White list input validation can also be used to detect unauthorized input before it is passed to the LDAP query.


Example

In the below example a query is constructed to validate a user's credentials for the purpose of logging in. String filter = "(&(USER = " + user_name + ") (PASSWORD = " + user_password + "))"; In a typical use case, a user would provide their user credentials and this filter would be used to validate these credentials. However, an attacker can enter a crafted input for the variable user_name such as johnDoe)(&) and any value for password. The finished query will then become (&(USER = johnDoe)(&))(PASSWORD = pass)). Only the first portion of this query is processed by the LDAP server (&(USER = johnDoe)(&), which always evaluates to true allowing the attacker to gain access to the system without needing to provide valid user credentials.


See also

*
SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injec ...
, a similar malicious attack method


References

{{reflist Injection exploits