info ‐ LDAP Injection - taylorjohn/hacking GitHub Wiki

LDAP Injection

LDAP injection is a type of security vulnerability that occurs when unsanitized user input is incorporated into LDAP queries without proper validation or encoding. Attackers exploit LDAP injection vulnerabilities to manipulate LDAP queries and perform unauthorized actions on the LDAP server. This technique can lead to information disclosure, privilege escalation, and other security risks.

Description

LDAP (Lightweight Directory Access Protocol) injection occurs when an application constructs LDAP queries using user-supplied input without proper validation or encoding. Attackers can inject malicious LDAP filter expressions into input fields or parameters, altering the logic of the LDAP query and potentially executing unauthorized actions on the LDAP server. LDAP injection vulnerabilities are commonly found in applications that authenticate users or retrieve information from LDAP directories.

How to Inject

Attackers exploit LDAP injection vulnerabilities by manipulating input fields or parameters to inject malicious LDAP filter expressions. Common injection techniques include:

  • LDAP Filter Injection: Attackers inject LDAP filter expressions to modify the logic of the LDAP query. This may involve appending additional filter conditions or modifying existing conditions to achieve their objectives.

  • Search Query Injection: Attackers inject LDAP search queries to retrieve unauthorized information from the LDAP directory. By manipulating search filters and base DNs, attackers can access sensitive data stored in the LDAP directory.

How to Protect

Protecting against LDAP injection vulnerabilities requires a combination of secure coding practices and robust security measures. Key protective measures include:

  • Input Validation and Encoding: Validate and sanitize all user-supplied input to ensure that it conforms to expected formats and does not contain malicious LDAP filter expressions.

  • Parameterized Queries: Use parameterized LDAP queries or LDAP APIs provided by programming frameworks to interact with the LDAP directory. Avoid constructing LDAP queries by concatenating user input.

  • Least Privilege: Limit the privileges of LDAP service accounts to only those necessary for their intended functions. Avoid granting unnecessary permissions that could be exploited by attackers.

  • LDAP Server Configuration: Configure the LDAP server to enforce access controls and prevent unauthorized access to sensitive information. Implement auditing and logging mechanisms to monitor LDAP query activity.

Examples of LDAP Injection

  1. Retrieve User Information:

    • Description: Retrieves information about a specific user from the LDAP directory.
    • LDAP Injection: (&(objectClass=user)(sAMAccountName=*)(|(user=*)(!(objectClass=*)))

  2. Search for Admin Users:

    • Description: Searches for users with administrative privileges in the LDAP directory.
    • LDAP Injection: (&(objectClass=user)(memberOf=CN=Administrators,DC=example,DC=com))

  3. Access Sensitive Attributes:

    • Description: Retrieves sensitive attributes such as passwords from user objects in the LDAP directory.
    • LDAP Injection: (&(objectClass=user)(sAMAccountName=*)(|(userPassword=*)(!(objectClass=*)))

  4. Authenticate User with Brute Force:

    • Description: Attempts to authenticate a user by brute-forcing passwords using LDAP injection.
    • LDAP Injection: (&(objectClass=user)(sAMAccountName=admin)(userPassword=*))

By understanding the risks associated with LDAP injection and implementing robust security measures, developers can mitigate the risk of exploitation and protect their applications from unauthorized access to LDAP directories.