LDAP Injection

Risk type:LOW


LDAP services (Lightweight Directory Access Protocol - application protocol for accessing and maintaining distributed directory information services over an IP network) which accept input from a client and execute it without properly validating it could allow an attacker to execute a query that extracts sensitive information.


Vulnerable web page has a search box to search for users in an application. Search box is asking for a username:

<input type="text" size=20 name="name">Enter the name to search for</input>

The underlying code would take this search query information and generate the LDAP query that will be used to search the LDAP database:

String ldapSearchQuery = "(cn=" + $username + ")";

Improper validation of $username variable could allow the attacker to do LDAP injections:

  • if the attacker searches "*", the system will return all usernames;
  • if the attacker searches "admin)(| (password = *) )", it will generate code revealing admin's password.


  • Always validate user input for type, pattern and domain:
    • Type validation:
      int userinput = Convert.ToInt32(Request.Querystring("userinput")
    • Pattern validation:
      string email = Regex.IsMatch(Request.Querystring("email"),"^.+@[^\.].*\.[a-z]{2,}$")
    • Domain values validation:
      string country = Request.Querystring(“country”) in {“USA”, “UK”}

Further reading: