Definition

LDAP injection

LDAP injection is a type of security exploit that is used to compromise the authentication process used by some websites. Websites that construct Lightweight Directory Access Protocol (LDAP) statements from data provided by users are vulnerable to this type of attack.

LDAP directories store information, known as objects, for people, servers, printers and roles. If the directory is used for website authentication, the attacker can enter malicious code into a user input field, gain unauthorized access to the directory and view or change usernames and passwords.

LDAP injection works in much the same manner as SQL injection, a type of security exploit in which the attacker adds SQL (Structured Query Language) code to a Web form. Both types of attacks primarily occur due to missing or weak input validation that does not reject malformed input or strip malicious LDAP control characters before including untrusted user input in a query.

According to security experts, the main reason that LDAP injection and similar exploits work is the fact that security is not sufficiently emphasized during the application development process. To protect the integrity of Web sites that use forms, experts recommend implementing a sanitization process to control the types and numbers of characters that can be accepted by input boxes as well as the use of multi-factor authentication (MFA) for public-facing web applications.

This was last updated in December 2017

Continue Reading About LDAP injection

Dig Deeper on Internet Application Security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your company monitor for LDAP vulnerabilities?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchHRSoftware

SearchHealthIT

DevOpsAgenda

Close