LDAP Injection (CWE-90)

Overview

Description

LDAP (Lightweight Directory Access Protocol) is used to Communicate with Directory Access Services, which runs over TCP/IP. Directory Access Service is Attribute based database, which contains information about systems, applications, users, groups in the organization. It is commonly used in an organization to maintain and securely give access to data. The user submits the LDAP query to get the expected data.

LDAP Injection is very similar to SQL Injection. The attacker injects malicious query into the application, which gives unauthorized access to the attacker.

LDAP Query contains filters, to get the desired information of Directory Service.

Logical Oprators : AND , OR , NOT
Relational Oprators : = , >= , <= , ~=
Absolute TRUE : (&) (It will match any entry)
Absolute FLASE : (|) (It will never match any entry)

Example

To authenticate user, LDAP Query will be like, find("(&(cn=" + username +")(userPassword=" + pass +"))")

This will check, given username and pass combination is correct or not.

If this username and password are taken from User via web form, then attacker can give username as *)(cn=*))(|(cn=* and any password, then LDAP Query becomes,

find("(&(cn=*)(cn=*))(|(cn=*)(userPassword=" + pass +"))")

And this will always evaluate to true!

There are many such ways to do LDAP Injection.

Impact

Can leak Sensitive Data of organization.
Can leak employee details like Name, Mobile number, address, email address, etc.
May damage reputation and cause financial loss to organization.

Prevention

Never trust user input.
Filter user input based on whitelist instead blacklists, before putting into LDAP Query.
Only Allow alphanumeric user input from the user, if it contains any symbol or LDAP Keyword, reject that request.
Give the least privileges to users.

Tools

JXplorer : Open Source LDAP Browser.

web vulnerabilities