{"id":2967,"date":"2024-02-08T12:33:04","date_gmt":"2024-02-08T12:33:04","guid":{"rendered":"https:\/\/www.imperva.com\/learn\/?post_type=application_security&p=2967"},"modified":"2024-02-08T12:33:04","modified_gmt":"2024-02-08T12:33:04","slug":"ldap-injection","status":"publish","type":"application_security","link":"https:\/\/www.imperva.com\/learn\/application-security\/ldap-injection\/","title":{"rendered":"LDAP Injection"},"content":{"rendered":"

What is LDAP Injection?<\/h2>\n

LDAP injections allow threat actors to compromise the authentication process of certain websites. This vulnerability occurs in websites that use data provided by end users to construct lightweight directory access protocol (LDAP) statements.<\/p>\n

LDAP directories are used to store access credentials in the form of objects. The information may be used by a wide range of entities, including users, roles, printers, and servers. When LDAP directories are used for website authentication purposes, threat actors can inject malicious code into user input fields. The actor can then gain unauthorized access to the LDAP directory, where the actor can view or modify usernames and passwords.<\/p>\n

Impact of LDAP injection attacks<\/h2>\n

Successful LDAP injections can cause major security breaches, resulting in data loss<\/a>, damage to the reputation of the organization, and financial losses. Attackers can leverage LDAP injection to steal data, perform session or browser hijacking, and deface of websites.<\/p>\n

Additionally, attackers may use LDAP injection attacks to insert malicious software (malware<\/a>), which enables them to view user credentials. Attackers may also use this malware to add their own user account to a group of administrators.<\/p>\n

How Does an LDAP Injection Attack Work?<\/h2>\n

Applications that use LDAP interact with the LDAP server both on the front end and the back end. LDAP search filters are the LDAP queries which are submitted to the server from the front-end of the application. Filters are built using of prefix notation\u2014for example, here is an LDAP search filter:<\/p>\n

\"ldap<\/p>\n

The notation of the prefix filter tells the query to locate an LDAP node with the given password and username. Let’s take a situation where this query is created by appending the password and username strings taken from an HTML form.<\/p>\n

If these values are controlled by the user, are appended to the search filter of the LDAP, without any sanitization or validation. For example, a password and username value of \u201c*\u201d will change the intended interpretation of the query and will return a record of all users.<\/p>\n

Other characters may also be used to construct malicious queries. For example, in the query below, the highlighted condition will evaluate as true every time. If this query is employed in an authentication flow, a hacker can bypass authentication measures, because the second part of the statement, requiring a password, will not be evaluated.<\/p>\n

\"ldap<\/p>\n

Examples of LDAP Injection Attacks<\/h2>\n

Here are common examples showing how attackers can perform LDAP injection against vulnerable systems.<\/p>\n

Access Control Bypass<\/h3>\n

Consider an LDAP search filter that accepts two fields via a web form\u2014USER and PASSWORD:<\/p>\n

\"ldap<\/p>\n

If the LDAP filter accepts the USER parameter as is, with no sanitization of control characters, an attacker can input a username followed by control characters that break authentication. For example, if the attacker provides this as the USER value:<\/p>\n

\"ldap<\/p>\n

The LDAP query is constructed as follows:<\/p>\n

\"ldap<\/p>\n

This causes the LDAP server to only process the first part of the query, indicated in bold. The password is not evaluted at all, meaning the attacker can provide any string for password, and gain access.<\/p>\n

Elevation of Privileges<\/h3>\n

Consider an LDAP search filter that enforces privileges at the end of a query. For example, a query like the following can be used to display all files in a directory, which are allowed for \u201cguest\u201d level permission:<\/p>\n

\"ldap<\/p>\n

The user provides the value files for the directory parameter, and the system inputs guest as the value for the permission parameter. Similar to the previous example, the attacker can craft a value for the directory parameter that will render the second parameter ineffective.<\/p>\n

Suppose the attacker provides this value for the directory parameter:<\/p>\n

\"ldap<\/p>\n

This will construct the following LDAP filter:<\/p>\n

\"ldap<\/p>\n

The LDAP server processes only the first part of the filter, indicated in bold. It sets the permission level to \u201c*\u201d, meaning that all files in the directory will be displayed, elevating the attacker\u2019s privileges. The last part of the query, limiting permission to guest, is ignored.<\/p>\n

Information Disclosure<\/h3>\n

Consider an LDAP filter that lists specific resources available in the system (for example, workstations or printers on a network). The query looks like this:<\/p>\n

\"ldap<\/p>\n

If the attacker adds the string uid = * to their query, they can trick the server into listing all the available resources. The attacker provides this value for the Resource1 parameter:<\/p>\n

\"ldap<\/p>\n

And any value for Resource2. This results in the following query:<\/p>\n

\"ldap<\/p>\n

The LDAP server applies the OR operator to the two statements indicated in bold, and returns a list of all workstations on the network.<\/p>\n

Preventing LDAP Injection Attacks<\/h2>\n

LDAP injection vulnerabilities take place when there is insufficient input cleanup and validation, and queries are created from input that is untrustworthy.<\/p>\n

Here are a few ways you can protect your organization from LDAP Injection vulnerabilities:<\/p>\n