LDAP Injection

What is LDAP?
LDAP is a Lightweight Directory Access Protocol which is used by LDAP servers to store, retrieve and manage the data. LDAP communicates via LDAP Queries which is similar to SQL queries. Using LDAP queries different operations are performed like add, update, delete, get, search, etc.
What is an LDAP Injection?
When untrusted and un-sanitized user inputs are used to craft an LDAP query, an attacker may apply payload to change the intended behavior of the original query, this vulnerability is called an LDAP Injection. Just like an SQL Injection, LDAP Injection also allows an attacker to access the data and modify or delete it. Thus, it is as severe as an SQL Injection. 
Example and Exploitation:
We will take a simple and basic example of an authentication bypass using LDAP Injection. Let's assume an application is using the following LDAP query to authenticate the user with username and password.

find("(&(cn=" + username +")(userPassword=" + pass +"))")

In the above query, if the username parameter is not sanitized or validated properly, it may be vulnerable to LDAP Injection. An attacker may take advantage to this situation and try payload [*)(cn=*))(|(cn=*] and try to temper the original behavior of the query as shown below:

find("(&(cn=*)(cn=*))(|(cn=*)(userPassword=" + pass +"))")

In the above query, we can see how the red-colored payload can create a condition (Underlined) which is always true. By this way, an attacker can exploit the LDAP Injection and bypass the authentication.
How to prevent LDAP Injection?

A developer can use a proper validation structure, encoding and escaping to avoid LDAP Injection. The web application should validate each input parameter not only the client-side but the server-side as well. Moreover, an application use the framework that provides automatic protection from LDAP Injection like LINQtoAD for .NET.

0 Comments