This guide will describe LDAP Injection in more detail.
CWE-90 describes LDAP Injection as follows:
“The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.”
LDAP directory services are software applications that store and organize sensitive information. Apps typically use LDAP services for the following purposes:
The key to exploiting LDAP through injection consists of manipulating the filters used to search into the directory services.
The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.
A successful exploitation of LDAP injection vulnerability could allow the hacker to:
LDAP-Injection attacks are based on the same techniques and principles of SQL-Injection attacks, i.e. the attacker takes advantage of dynamically constructed queries based on non-neutralized user input data. If the app does not properly filter input data, the attacker can inject malicious code.
To guess if an application is vulnerable to LDAP-injection simply try to send some data that would produce some invalid input. If the app returns an error means, it executed the query with your input, therefore the app is vulnerable. Remember, that this “tactical” approach (trial and error) can be substituted by Kiuwan analysis: it will show to you all LDAP injection points.
As a very basic example, let’s suppose you face an app that asks for username and password in a web form. If the app is vulnerable to LDAP-injection, it reads username and password from the HTPP request and (without any filtering) builds the LDAP filter:
resulting in a LDAP filter like:
If the user would know a valid username of another user (for example, “user2”), an entry like
will produce a filter like
This constitutes two filters, but only the first will be executed.
As (&) is always true, just entering a valid username, without having a valid password, will grant access to any user’s data.
In Kiuwan, you can search rules covering LDAP injection (CWE-90) filtering by
Kiuwan incorporates following rules for LDAP-Injection (CWE-90) for the following languages.
To obtain detailed information on functionality, coverage, parameterization, remediation, example codes, etc., follow the same steps as described in SQL Injection.