LDAP injection

Description

This application is vulnerable to LDAP Injection, a security flaw that occurs when user-supplied input is incorporated into LDAP queries without proper validation or sanitization. LDAP (Lightweight Directory Access Protocol) is commonly used to query and manage directory services such as Active Directory. Attackers can exploit this vulnerability by injecting special characters and LDAP filter syntax to manipulate query logic, potentially bypassing authentication mechanisms, accessing unauthorized data, or modifying directory entries.

Remediation

Implement the following security controls to prevent LDAP Injection attacks:

1. Use Parameterized LDAP Queries: Utilize LDAP libraries that support parameterized queries or prepared statements to separate user input from query logic.

2. Input Validation: Implement strict allowlist validation to accept only expected characters and formats. Reject any input containing LDAP special characters unless absolutely necessary.

3. Escape Special Characters: If user input must be included in LDAP queries, properly escape all LDAP special characters including: * ( ) \ NUL for DN (Distinguished Name) contexts and * ( ) \ NUL / , = + < > ; " # for filter contexts.

Example (Java):

// Use proper escaping for LDAP filters
String escapedInput = escapeForLDAP(userInput);
String filter = "(uid=" + escapedInput + ")";

// Escaping function
public static String escapeForLDAP(String input) {
    StringBuilder sb = new StringBuilder();
    for (char c : input.toCharArray()) {
        switch (c) {
            case '\\': sb.append("\\5c"); break;
            case '*':  sb.append("\\2a"); break;
            case '(':  sb.append("\\28"); break;
            case ')':  sb.append("\\29"); break;
            case '\0': sb.append("\\00"); break;
            default:   sb.append(c);
        }
    }
    return sb.toString();
}

References

Related Vulnerabilities