LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
The key to exploiting injection techniques with LDAP is to manipulate the filters used to search in the directory services. Using these techniques, an attacker may obtain direct access to the database underlying an LDAP tree, and thereby to important corporate information. This can be even more critical because the security of many applications and services relies on single sign-on environments based on LDAP directories.
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP query that will be used in LDAP database.
<input type="text" size=20 name="userName">Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + userName + ")";
If the variable userName is not validated, it could be possible accomplish LDAP injection, as follows:
- If a user puts “*” on box search, the system may return all the usernames on the LDAP base
- If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) )
How to protect against these attacks?
INPUT VALIDATION. This will never be said enough: input validation is the best way to protect against most injection-type attacks. Whitelist validation is always your best bet. The idea is that you should check that the data is one of a set of tightly constrained known good values. For example, for the username field above, the input should accept only alphanumeric characters.
The T-SQL LoginProperty function in SQL Server 2005
BusinessWeek hit by SQL Injection attack
How to: Use Active Directory to authenticate users
How to set NTFS permissions using C# 2005