LDAP Injection

Overview

LDAP (Lightweight Directory Access Protocol) is a protocol for accessing and manipulating directory services. Websites may interact with stored data via LDAP queries. LDAP Injection attacks occur when an attacker is able to manipulate the LDAP queries carried out by the website. In doing so, the attacker can potentially view, modify and destroy any data stored in LDAP.

What makes a site vulnerable?

LDAP Injection is made possible when the website constructs LDAP queries using poorly validated user input. By being able to insert input into the query, the attacker can potentially modify the structure of the query in such a way as to be able to carry out LDAP operations which users were never meant to perform.

Impact of the attack

The attacker can potentially view, modify and destroy any data stored in LDAP. Additionally, the attacker may be able to exploit mechanisms, such as login mechanisms, which rely on the information contained in LDAP.

Preventing the attack

LDAP injection attacks can be prevented by eliminating the use of user input in the construction of LDAP queries. Where this is not practical, the attacks can be prevented through proper validation of user input prior to use. If user input does not match a strict format known to be handled correctly by the application then the query should not be executed.