Software Quality.com

LDAP injection

By Ben Lutkevich

What is LDAP injection?

LDAP (Lightweight Directory Access Protocol) injection is a type of security exploit that is used to compromise the authentication process used by some websites. Websites that construct LDAP statements from user data are vulnerable to this type of attack.

Organizations often use LDAP to enable single sign-on and to authenticate users to on-premises and web-based applications. LDAP directories store objects, which include information about these users and the organization's assets. For example, an LDAP directory may contain lists of the different usernames, passwords and email addresses of the users in the organization. If an LDAP directory is used for website authentication, an attacker can enter malicious code into a user input field, gain unauthorized access to the directory, and view or change usernames and passwords.

According to security experts, the main reason that LDAP injection attacks and similar exploits work is because security is often insufficient during the application development process. To protect the integrity of websites that use forms, experts recommend implementing a sanitization process to control the types and number of characters that can be accepted by input boxes as well as using multifactor authentication for public-facing web applications.

How do LDAP injections work?

An LDAP injection attack exploits security loopholes caused by unsanitized user input data. In other words, LDAP injections create malformed queries to gain access in order to potentially change data in a directory. LDAP queries contain special characters such as asterisks, brackets, ampersands and quotes. These characters control the meaning of LDAP queries and dictate the type and number of objects returned by a query. Attackers can alter the query and its intended behavior by modifying these control characters within the query. For example, in a login query that uses LDAP, an attacker can enter the username plus several metacharacters that manipulate the protocol into ignoring the password field.

Using LDAP injection, an attacker can enter the directory to gain access to unauthorized information or modify LDAP statements and content inside the LDAP tree. They can also exploit web applications that create LDAP statements based on user input. Tools that use LDAP include Red Hat Directory Server and Microsoft Active Directory.

What types of LDAP injection attacks are there?

There are several different types of LDAP injection attacks, including the following:

How to prevent LDAP injection attacks

LDAP injection attacks can be used to gain access to sensitive data, change LDAP data or even to take control of a system that uses LDAP. Therefore, it is important to take steps to protect the system from these attacks. Just as with any injection-based attack, the best option for preventing LDAP injection attacks is sanitizing untrusted input and using proper input validation. Application developers should properly encode and sanitize all information in the application layer. Some practices that enable this include the following:

Developers can also choose to minimize the privileges assigned to LDAP accounts, so if they are compromised, they will have a minimal effect on the overall system. Administrators should also properly configure the LDAP servers and user permissions, especially for mobile and web applications.

What is the difference between SQL injection and LDAP injection?

There are many similarities between LDAP injection and SQL injection. They are both code injection attacks, where the malicious user inserts a piece of their own code into an existing data stream to try to bypass security measures. Code injection can be performed on a variety of different protocols, including Extensible Markup Language, HyperText Markup Language, Structured Query Language (SQL) and LDAP. All of these injection attacks take advantage of scenarios where an application fails to properly sanitize user input.

LDAP injection works in much the same manner as SQL injection, a type of security exploit in which the attacker adds SQL code to a web form. Both types of attacks primarily occur due to missing or weak input validation that does not reject malformed input or strip malicious LDAP control characters before including untrusted user input in a query.

The difference between LDAP and SQL injection is the protocol or language that they exploit, and therefore the syntax of the attack data. LDAP is a protocol for accessing information in directories, whereas SQL is a query language for databases. Therefore, the attacks target different information stores. LDAP injections target directories, whereas SQL injections target databases. LDAP directories are better for storing data that is mostly read, not written. SQL databases are better for dealing with data that is both read and written frequently.

Injection in general, no matter the type, is listed as a top security threat in the Open Web Application Security Project Top 10 list as the third top application security risk of 2021. The recent Log4j security exploit exposed a vulnerability similar to LDAP and SQL injection called a Java Naming and Directory Interface injection.

Preventing code injection is an important component of application security. Learn some other best practices for securing web-based applications and SaaS offerings.

03 May 2022

All Rights Reserved, Copyright 2006 - 2024, TechTarget | Read our Privacy Statement