LDAP Injection (CWE-90)

CWE-90 describes LDAP Injection as follows:

“The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.”

LDAP directory services are software applications that store and organize sensitive information. Apps typically use LDAP services for the following purposes:

• Access control (user-password verification, etc.)
• Privilege management
• Resource management

 The key to exploiting LDAP through injection consists on manipulate the filters used to search into the directory services. The goal of LDAP injection attacks is to inject LDAP search filters metacharacters in a query which will be executed by the application.

A successful exploitation of LDAP injection vulnerability could allow the hacker to:

• Access unauthorized content
• Overpass application restrictions
• Add or modify objects within LDAP structure

LDAP-Injection attacks are based on the same techniques and principles of SQL-Injection attacks, i.e. the attacker takes advantage of dynamically constructed queries based on non-neutralized user input data. If the app does not properly filter input data, the attacker can inject malicious code.

First, to guess if an application is vulnerable to LDAP-injection simply try to send some data that would produce some invalid input. If the app returns an error means it executed the query with your input, therefore the app is vulnerable.

As a very basic example, let’s suppose you face an app that asks for username and password in a web form. If the app is vulnerable to LDAP-injection, it reads username and password from the HTPP request and (without any filtering) builds the LDAP filter:

String filter = "(&(USER=” + username +  ”)(PASSWORD=" + password + "))";

resulting in a LDAP filter like:

(&(USER=username)(PASSWORD=password))

If the user would know a valid username of other user (for example, “user2”), an entry like

• username=”user2)(&)”
• password=”dddddd”

will produce a filter like

(&(USER= user2)(&))(PASSWORD=password))

This constitutes two filters, but only the first will be executed. As (&) is always true, just entering a valid username, without having a valid password, will grant access to any user’s data.

LDAP Injection (CWE-90) coverage by Kiuwan

In Kiuwan, you can search rules covering LDAP-Injection (CWE-90)  filtering by Vulnerability Type (“Injection”) and/or by CWE tag (“CWE:90”). 

Kiuwan incorporates next rules for LDAP -Injection (CWE-90) for the following languages. Please, visit the documentation page for every rule to obtain detailed information on functionality, coverage, parameterization, remediation, example codes, etc.