LDAP Injection
Reference
Plugin Id: 40015 | CWE: 90
Remediation
To prevent LDAP Injection, the following measures should be taken:
-
Input validation: Validate and sanitize all user-supplied input before using it in LDAP queries. This can be done by implementing strict input validation routines that check for the presence of special characters and escape them if necessary.
-
Parameterized queries: Use parameterized queries or prepared statements to construct LDAP queries. This ensures that user-supplied input is treated as data and not as part of the query structure, preventing any malicious LDAP code from being executed.
-
Least privilege principle: Limit the permissions of the LDAP user account used by the application to the minimum necessary for its intended functionality. This reduces the potential impact of an LDAP Injection attack by restricting the attacker’s ability to view and modify sensitive data.
About
LDAP Injection is a vulnerability that arises when user-supplied input is not properly validated or sanitized before being used in LDAP queries. LDAP (Lightweight Directory Access Protocol) is a widely used protocol for accessing and managing directory information services. An attacker can exploit this vulnerability to bypass authentication controls and gain unauthorized access to an LDAP directory.
Risks
The risks associated with LDAP Injection include:
-
Unauthorized access: An attacker may be able to bypass authentication controls and gain unauthorized access to the LDAP directory. This can lead to the exposure of sensitive information or the ability to modify data within the directory.
-
Data manipulation: By injecting malicious LDAP code, an attacker can modify or delete data within the LDAP directory. This can result in data corruption, loss of data integrity, or disruption of the directory service.
-
Privilege escalation: If the LDAP user account used by the application has elevated privileges, an attacker may be able to escalate their own privileges and gain administrative access to the LDAP directory. This can have severe consequences, including the compromise of the entire directory service.