LDAP Injection

Introduction

LDAP injection is a type of attack that exploits the Lightweight Directory Access Protocol (LDAP) to gain unauthorized access to sensitive information. LDAP injection is one of the most dangerous web application security threats, as it can be used to bypass authentication and gain access to user accounts, modify data, and even delete entire databases. LDAP injection attacks can be used to steal confidential information, such as usernames, passwords, and credit card numbers. LDAP injection attacks can also be used to modify or delete data, or even execute malicious code on the server.

This article will provide a detailed overview of LDAP injection attacks, including examples of payloads used to bypass authentication and recommendations to prevent them.

What is LDAP Injection?

LDAP injection is a type of attack that exploits the Lightweight Directory Access Protocol (LDAP) to gain unauthorized access to sensitive information. LDAP is a protocol used to access directory services, such as Microsoft Active Directory. LDAP injection attacks can be used to bypass authentication and gain access to user accounts, modify data, and even delete entire databases.

LDAP injection attacks are possible because of the way in which LDAP queries are constructed. LDAP queries are composed of a base DN (distinguished name) and a filter. The filter is composed of one or more conditions, such as user name, password, or other attributes. If an attacker is able to modify the filter, they can inject malicious code into the query, which can be used to bypass authentication or gain access to sensitive information.

Exploitation Examples

LDAP injection attacks can be used to bypass authentication or gain access to sensitive information. The most common type of LDAP injection attack is authentication bypass, which is used to gain access to user accounts.

Authentication Bypass

Authentication bypass is the most common type of LDAP injection attack. In an authentication bypass attack, the attacker modifies the LDAP query to bypass authentication. For example, the attacker could modify the query to always return a valid result, regardless of the username or password.

In this example, the attacker modifies the filter to always return a valid result, regardless of the username or password:

Original Query:

(&(uid=<username>)(userPassword=<password>))

Modified Query:

(&(uid=*)(userPassword=*))

This modified query will always return a valid result, allowing the attacker to bypass authentication and gain access to the user account.

Data Modification

LDAP injection attacks can also be used to modify data. For example, an attacker could modify the LDAP query to modify the user’s name or email address.

In this example, the attacker modifies the filter to modify the user’s name:

Original Query:

(&(uid=<username>)(cn=<name>))

Modified Query:

(&(uid=<username>)(cn=<attacker’s name>))

This modified query will modify the user’s name to the attacker’s name, allowing the attacker to gain access to the user’s account.

Data Deletion

LDAP injection attacks can also be used to delete data. For example, an attacker could modify the LDAP query to delete the user’s account.

In this example, the attacker modifies the filter to delete the user’s account:

Original Query:

(&(uid=<username>))

Modified Query:

(&(uid=<username>)(objectClass=*))

This modified query will delete the user’s account, allowing the attacker to gain access to the user’s data.

Malicious Code Execution

LDAP injection attacks can also be used to execute malicious code on the server. For example, an attacker could modify the LDAP query to execute a command on the server.

In this example, the attacker modifies the filter to execute a command on the server:

Original Query:

(&(uid=<username>))

Modified Query:

(&(uid=<username>)(|(command=<malicious code>)))

This modified query will execute the malicious code on the server, allowing the attacker to gain access to the user’s data.

Prevention

LDAP injection attacks can be prevented by implementing proper input validation and authentication. Input validation should be used to ensure that user-supplied data is valid and not malicious. Authentication should be used to ensure that only authorized users can access sensitive data.

In addition, organizations should use security best practices, such as using strong passwords, implementing two-factor authentication, and using secure protocols such as TLS/SSL. Organizations should also use a web application firewall (WAF) to detect and block malicious requests.

Conclusion

LDAP injection is a type of attack that exploits the Lightweight Directory Access Protocol (LDAP) to gain unauthorized access to sensitive information. LDAP injection attacks can be used to bypass authentication and gain access to user accounts, modify data, and even delete entire databases. This article provided a detailed overview of LDAP injection attacks, including examples of payloads used to bypass authentication and recommendations to prevent them.