What is LDAP Injection?
LDAP injection is a form of a web attack in which an attacker exploits the website that construct LDAP statements from the inputs supplied by the user.
According to Wikipedia Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP was originally intended to be a lightweight alternative protocol for accessing X.500 directory services through the simpler (and now widespread) TCP/IP protocol stack. This model of directory access was borrowed from the DIXIE and Directory Assistance Service protocols.
When an web application is unable to properly sanitize the inputs provided by the user, it is possible for an attacker to alter the LDAP statements, this can raise serious security problems and can help the attacker to add/modify the LDAP tree. LDAP injection is a bit similar to SQL Injection attacks.
LDAP injection is a form of a web attack in which an attacker exploits the website that construct LDAP statements from the inputs supplied by the user.
LDAP Injection |
According to Wikipedia Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LDAP was originally intended to be a lightweight alternative protocol for accessing X.500 directory services through the simpler (and now widespread) TCP/IP protocol stack. This model of directory access was borrowed from the DIXIE and Directory Assistance Service protocols.
When an web application is unable to properly sanitize the inputs provided by the user, it is possible for an attacker to alter the LDAP statements, this can raise serious security problems and can help the attacker to add/modify the LDAP tree. LDAP injection is a bit similar to SQL Injection attacks.
Example
Vulnerable code :
line 1 using System;
line 2 using System.Configuration;
line 3 using System.Data;
line 4 using System.Web;
line 5 using System.Web.Security;
line 6 using System.Web.UI;
line 7 using System.Web.UI.HtmlControls;
line 8 using System.Web.UI.WebControls;
line 9 using System.Web.UI.WebControls.WebParts;
line 10
line 11 using System.DirectoryServices;
line 12
line 13 public partial class _Default : System.Web.UI.Page
line 14 {
line 15 protected void Page_Load(object sender, EventArgs e)
line 16 {
line 17 string userName;
line 18 DirectoryEntry entry;
line 19
line 20 userName = Request.QueryString["user"];
line 21
line 22 if (string.IsNullOrEmpty(userName))
line 23 {
line 24 Response.Write("<b>Invalid request. Please specify valid user name</b></br>");
line 25 Response.End();
line 26
line 27 return;
line 28 }
line 29
line 30 DirectorySearcher searcher = new DirectorySearcher();
line 31
line 32 searcher.Filter = "(&(samAccountName=" + userName + "))";
line 33
line 34 SearchResultCollection results = searcher.FindAll();
line 35
line 36 foreach (SearchResult result in results)
line 37 {
line 38 entry = result.GetDirectoryEntry();
line 39
line 40 Response.Write("<p>");
line 41 Response.Write("<b><u>User information for : " + entry.Name + "</u></b><br>");
line 42
line 43 foreach (string proName in entry.Properties.PropertyNames)
line 44 {
line 45 Response.Write("<br>Property : " + proName);
line 46
line 47 foreach( object val in entry.Properties[proName] )
line 48 {
line 49 Response.Write("<br>Value: " + val.ToString());
line 50 }
line 51 }
line 52
line 53 Response.Write("</p>");
line 54 }
line 55 }
line 56 }
The above codes are vulnerable to LDAP Injection, you must be thinking what makes the above code vulnerable to LDAP injection? So after looking at the codes, you will notice that on Line 20 that the variable userName is initilaized with the value user and is checked if the value is empty or not. On line 32, the userName is used to initialize the filter property.
In the above example, an attacker would have the complete control over the requests and the queries made to the LDAP server, and he will get the result of all the queries.
Lets take another example to understand the LDAP injection properly.
Example:
<input type="text" size=10 name="name">Enter the name you want to search</input>
Take for example a simple HTML page that searches for the inputted username. The above code will search for the name, and will generate the following LDAP query.
String ldapSearchQuery = "(cn=" + $username + ")";
System.out.println(ldapSearchQuery);
If the variable $username is not properly sanitized, LDAP injection could take place like if the attacker search * instead of a name, then it will return every username stored in the LDAP database. If the user puts in an mike)(|(password=*). This will create a ldap search query like (cn=mike)(|(password=*) ) Which would return the users mike password from the database.
Fixing LDAP Injection
To fix LDAP Injection, the user inputs must be properly sanitized and filtered, the user input should be first verified, and the wrong inputs must be rejected so that the user may enter the correct input. Users must be restricted to use characters like * () |