Understanding and Preventing LDAP Injection

Organizational data is usually stored in databases where it is protected using firewalls and other intrusion detection mechanisms. In a harmless world, this data can only be accessed by authorized users through a specific application. However, these applications could also serve as a gateway to attacks if they accept and execute user input without sanitizing it. In fact, most web application vulnerabilities such as XPath and SQL injections are related to input validation. This article will walk you through LDAP injection, a type of attack used to exploit applications that rely on user input to construct LDAP statements. Here, LDAP statements can be modified using a local proxy if the application does not sanitize input properly.  

 

So before diving into more details, here’s a refresher on LDAP:

The Lightweight Active Directory Protocol (LDAP) is a service and protocol used to access and maintain directory services in IP servers. LDAP works on a client-server model, so other than providing access to a directory database, it can be used for authentication, resource management, and privileges management.  Some widely used LDAP services include the Microsoft Active Directory and the OpenLDAP.

 

Typically, LDAP is object-oriented, so every entry to the directory service represents an object instance, which should correspond to all rules attached to the object’s attributes. The system should sanitize all user-supplied input to ensure LDAP statements are constructed correctly.

When an attacker inserts malicious statements into a query, then they can send malicious LDAP requests to the server, which in turn leads to security implications. Successful exploitation of LDAP injections could allow adversaries to:

  • Access unauthorized information
  • Evade application restrictions
  • Hijack browser sessions
  • Add or modify objects within the LDAP tree structure          

 

In the code snippets below, we illustrate how an LDAP injection works. Assume that we have an LDIF file containing records as shown:

 

In this case, a search for valid usernames and password takes the form:

 

An adversary could use J* for the username field and  * for the password field to bypass authentication. This input would produce every record whose username in our database starts with J. A malicious search statement would compromise our system since the attacker has access to part of the data in our directory. Similarly, a compromised authentication routine would allow the attacker to log in.

Below is a non-compliant code snippet where the searchRecord() method is called to search directory records using LDAP. Notice how the string filter allows the attacker to filter results matching the supplied user name and password.

 

To avoid the detrimental effects of maliciously crafted code as illustrated above, we should sanitize all user input to ensure the filter string contains valid characters. In the compliant code below, we use a whitelist such that the username only contains letters and spaces while the password contains alphanumeric characters.

 

 

Preventing LDAP Injections

Just like other injection attack vulnerabilities, the primary defense against LDAP injection is proper input validation. Unfortunately, there are no prepared statements interfaces for LDAP like those used in SQL. Therefore, the most effective solution is a strong validation of untrusted input. If you can properly encode and sanitize all input in the application layer, then you can significantly minimize the possibilities of these threats. Here are some other secure coding practices that can help you avoid LDAP injections:

 

  • Whitelist input validation
  • Escaping all variables using the right encoding functions
  • Indexing of fields containing sensitive information such as user passwords
  • Using Frameworks such as LINQtoAD to automatically prevent LDAP Injection
  • Minimize privileges assigned to LDAP binding accounts
  • Output regulation
  • Performing dynamic checks
  • Static source code analysis

 

Other than the above practices, it is important to ensure your LDAP environment is safely configured. As a norm, always safeguard sensitive information in the LDAP directory. Configuring user permissions safely is especially important for directories used for logging purposes on mobile and web applications.

 

Michael Hollander

Michael Hollander / About Author

Michael is a Senior Product Manager and the Data Protection Officer at WhiteSource. Before joining WhiteSource, Michael was a Product Manager at GE Digital, and he previously held a number of software development positions spanning over 10 years. Michael is currently leading WhiteSource for Developers, a suite of native developer integrations empowering developers to secure products faster without slowing down development. LinkedIn | Twitter