DefenseCode

LDAP Injection

Risk type:LOW

Description:

LDAP services (Lightweight Directory Access Protocol - application protocol for accessing and maintaining distributed directory information services over an IP network) which accept input from a client and execute it without properly validating it could allow an attacker to execute a query that extracts sensitive information.

Example:

Vulnerable web page has a search box to search for users in an application. Search box is asking for a username:

<input type="text" size=20 name="name">Enter the name to search for</input>

The underlying code would take this search query information and generate the LDAP query that will be used to search the LDAP database:

String ldapSearchQuery = "(cn=" + $username + ")";
System.out.println(ldapSearchQuery);

Improper validation of $username variable could allow the attacker to do LDAP injections:

  • if the attacker searches "*", the system will return all usernames;
  • if the attacker searches "admin)(| (password = *) )", it will generate code revealing admin's password.

Mitigation:

  • Always validate user input for type, pattern and domain:
    • Type validation:
      int userinput = Convert.ToInt32(Request.Querystring("userinput")
    • Pattern validation:
      string email = Regex.IsMatch(Request.Querystring("email"),"^.+@[^\.].*\.[a-z]{2,}$")
    • Domain values validation:
      string country = Request.Querystring(“country”) in {“USA”, “UK”}

Further reading:

https://www.owasp.org/index.php/LDAP_injection
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf