LDAP Injection

LDAP injection is a critical security vulnerability that occurs when applications fail to properly sanitize user input before incorporating it into LDAP queries. This oversight allows attackers to manipulate directory service operations, potentially leading to unauthorized access, data breaches, or system compromise. Similar to SQL injection, this attack targets Lightweight Directory Access Protocol (LDAP) directories, which are commonly used for authentication and user management in enterprise environments.

Key Points

LDAP injection exploits unsanitized input in LDAP queries to alter intended functionality.
Attackers can bypass authentication, access restricted data, or modify directory contents.
Common in applications using LDAP for user authentication or directory services.
Prevention requires input validation and secure query construction.

How LDAP Injection Works

The Attack Mechanism

LDAP queries typically follow this structure:

(&(attribute=value)(objectClass=user))

When user input is directly concatenated into queries, attackers can inject malicious payloads:

(&(username=*)(password=anything))

The * wildcard character forces the query to match all entries, bypassing authentication.

Common Exploitation Scenarios

Attack Type	Example Payload	Impact
Authentication Bypass	`)(uid=))(	(uid=*`
Data Enumeration	`)(objectClass=`	Extract all directory entries
Privilege Escalation	`admin)(	(password=*`

Critical Insight: LDAP injection vulnerabilities often exist in login forms, search functions, and user profile management interfaces.

Prevention and Mitigation

Secure Coding Practices

Input Validation
- Implement strict whitelisting of allowed characters.
- Reject inputs containing special characters like (, ), *, |, &.

Query Construction

Use parameterized queries or LDAP libraries that handle escaping.

Example (Java):

// Secure approach using prepared statements
DirContext ctx = new InitialDirContext(env);
String filter = "(&(uid={0})(objectClass=user))";
ctx.search("ou=users", filter, new String[]{username}, controls);

Additional Protections
- Implement least privilege access for LDAP service accounts.
- Enable LDAP signing and channel binding where possible.
- Regularly update directory service software.

Detection Methods

Static Analysis: Scan code for string concatenation in LDAP queries.
Dynamic Testing: Use tools like Burp Suite to test for injection points.
Logging: Monitor for unusual query patterns in LDAP logs.

Real-World Impact

Case Study: Corporate Directory Breach

A financial institution suffered a data breach when attackers exploited an LDAP injection vulnerability in their employee portal. The attackers:

Discovered the vulnerability in the login form.
Used payload *)(userPassword=* to dump all user credentials.
Gained access to sensitive financial systems.

Post-Incident Findings: The application concatenated user input directly into LDAP queries without validation, and lacked proper logging of authentication attempts.

Industry Statistics

LDAP injection accounts for 8% of all directory service vulnerabilities (Verizon DBIR 2023).
62% of tested applications had some form of LDAP injection vulnerability (Positive Technologies).
Average cost of an LDAP-related breach: $3.86 million (IBM Cost of a Data Breach Report).

Testing for LDAP Injection

Manual Testing Techniques

Basic Test: Input * in username/password fields.
- Expected: Application rejects or properly escapes the input.
- Vulnerable: Returns all users or bypasses authentication.
Boolean-Based Testing:
```
username: admin)(|(password=*
password: anything
```
- Vulnerable: Logs in as admin without valid password.
Time-Based Testing (for blind injection):
```
username: *)(uid=*))(|(uid=*))(sleep=5
```

Automated Tools

OWASP ZAP: Includes LDAP injection scanning.
Burp Suite: Manual testing with intruder module.
Nmap: ldap-brute script for testing.

Comparison with Other Injection Attacks

Attack Type	Target System	Common Payloads	Prevention Focus
LDAP Injection	Directory Services	`)(uid=`, `admin)(	`
SQL Injection	Databases	`' OR 1=1 --`, `UNION SELECT`	Prepared statements, ORM
Command Injection	Operating Systems	`; cat /etc/passwd`, `&& rm -rf`	Input sanitization, shell escaping
XPath Injection	XML Documents	`' or '1'='1`, `//user[position()=1]`	XPath variable binding

Learn More

Essential Resources

Recommended Tools

Tool	Purpose	Link
LDAPFuzz	LDAP injection fuzzing	https://github.com/0x90/ldapfuzz
JXplorer	LDAP browser for testing	http://jxplorer.org/
Softerra LDAP Browser	Directory exploration	https://www.ldapadministrator.com/

Key Points

LDAP injection exploits unsanitized input in LDAP queries to alter intended functionality.
Attackers can bypass authentication, access restricted data, or modify directory contents.
Common in applications using LDAP for user authentication or directory services.
Prevention requires input validation and secure query construction.

How LDAP Injection Works

The Attack Mechanism

LDAP queries typically follow this structure:

(&(attribute=value)(objectClass=user))

When user input is directly concatenated into queries, attackers can inject malicious payloads:

(&(username=*)(password=anything))

The * wildcard character forces the query to match all entries, bypassing authentication.

Common Exploitation Scenarios

Attack Type	Example Payload	Impact
Authentication Bypass	`)(uid=))(	(uid=*`
Data Enumeration	`)(objectClass=`	Extract all directory entries
Privilege Escalation	`admin)(	(password=*`

Critical Insight: LDAP injection vulnerabilities often exist in login forms, search functions, and user profile management interfaces.

Prevention and Mitigation

Secure Coding Practices

Input Validation
- Implement strict whitelisting of allowed characters.
- Reject inputs containing special characters like (, ), *, |, &.

Query Construction

Use parameterized queries or LDAP libraries that handle escaping.

Example (Java):

// Secure approach using prepared statements
DirContext ctx = new InitialDirContext(env);
String filter = "(&(uid={0})(objectClass=user))";
ctx.search("ou=users", filter, new String[]{username}, controls);

Additional Protections
- Implement least privilege access for LDAP service accounts.
- Enable LDAP signing and channel binding where possible.
- Regularly update directory service software.

Detection Methods

Static Analysis: Scan code for string concatenation in LDAP queries.
Dynamic Testing: Use tools like Burp Suite to test for injection points.
Logging: Monitor for unusual query patterns in LDAP logs.

Real-World Impact

Case Study: Corporate Directory Breach

A financial institution suffered a data breach when attackers exploited an LDAP injection vulnerability in their employee portal. The attackers:

Discovered the vulnerability in the login form.
Used payload *)(userPassword=* to dump all user credentials.
Gained access to sensitive financial systems.

Post-Incident Findings: The application concatenated user input directly into LDAP queries without validation, and lacked proper logging of authentication attempts.

Industry Statistics

LDAP injection accounts for 8% of all directory service vulnerabilities (Verizon DBIR 2023).
62% of tested applications had some form of LDAP injection vulnerability (Positive Technologies).
Average cost of an LDAP-related breach: $3.86 million (IBM Cost of a Data Breach Report).

Testing for LDAP Injection

Manual Testing Techniques

Basic Test: Input * in username/password fields.
- Expected: Application rejects or properly escapes the input.
- Vulnerable: Returns all users or bypasses authentication.
Boolean-Based Testing:
```
username: admin)(|(password=*
password: anything
```
- Vulnerable: Logs in as admin without valid password.
Time-Based Testing (for blind injection):
```
username: *)(uid=*))(|(uid=*))(sleep=5
```

Automated Tools

OWASP ZAP: Includes LDAP injection scanning.
Burp Suite: Manual testing with intruder module.
Nmap: ldap-brute script for testing.

Comparison with Other Injection Attacks

Attack Type	Target System	Common Payloads	Prevention Focus
LDAP Injection	Directory Services	`)(uid=`, `admin)(	`
SQL Injection	Databases	`' OR 1=1 --`, `UNION SELECT`	Prepared statements, ORM
Command Injection	Operating Systems	`; cat /etc/passwd`, `&& rm -rf`	Input sanitization, shell escaping
XPath Injection	XML Documents	`' or '1'='1`, `//user[position()=1]`	XPath variable binding

Learn More

Essential Resources

Recommended Tools

Tool	Purpose	Link
LDAPFuzz	LDAP injection fuzzing	https://github.com/0x90/ldapfuzz
JXplorer	LDAP browser for testing	http://jxplorer.org/
Softerra LDAP Browser	Directory exploration	https://www.ldapadministrator.com/

LDAP Injection

Key Points

How LDAP Injection Works

The Attack Mechanism

Common Exploitation Scenarios

Prevention and Mitigation

Secure Coding Practices

Detection Methods

Real-World Impact

Case Study: Corporate Directory Breach

Industry Statistics

Testing for LDAP Injection

Manual Testing Techniques

Automated Tools

Comparison with Other Injection Attacks

Learn More

Essential Resources

Recommended Tools

Further Reading

LDAP Injection

Key Points

How LDAP Injection Works

The Attack Mechanism

Common Exploitation Scenarios

Prevention and Mitigation

Secure Coding Practices

Detection Methods

Real-World Impact

Case Study: Corporate Directory Breach

Industry Statistics

Testing for LDAP Injection

Manual Testing Techniques

Automated Tools

Comparison with Other Injection Attacks

Learn More

Essential Resources

Recommended Tools

Further Reading