Organizational data is usually stored in databases where it is protected using firewalls and other intrusion detection mechanisms. In a harmless world, this data can only be accessed by authorized users through a specific application. However, these applications could also serve as a gateway to attacks if they accept and execute user input without sanitizing it. In fact, most web application vulnerabilities such as XPath and SQL injections are related to input validation. This article will walk you through LDAP injection, a type of attack used to exploit applications that rely on user input to construct LDAP statements. Here, LDAP statements can be modified using a local proxy if the application does not sanitize input properly.
So before diving into more details, here’s a refresher on LDAP:
The Lightweight Active Directory Protocol (LDAP) is a service and protocol used to access and maintain directory services in IP servers. LDAP works on a client-server model, so other than providing access to a directory database, it can be used for authentication, resource management, and privileges management. Some widely used LDAP services include the Microsoft Active Directory and the OpenLDAP.
Typically, LDAP is object-oriented, so every entry to the directory service represents an object instance, which should correspond to all rules attached to the object’s attributes. The system should sanitize all user-supplied input to ensure LDAP statements are constructed correctly.