LDAP injection

In computer security, LDAP injection is a code injection technique used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores.[1][2][3] LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement.

Technical implementation

LDAP injection occurs when user input is not properly sanitized and then used as part of a dynamically generated LDAP filter. This results in potential manipulation of the LDAP statements performed on the LDAP server to either view, modify, or bypass authentication credentials.[1]

Prevention

LDAP injection is a known attack and can be prevented by simple measures. All of the client supplied input must be checked/sanitized of any characters that may result in malicious behavior. The input validation should verify the input by checking for the presence of special characters that are a part of the LDAP query language, known data types, legal values, etc.[2] White list input validation can also be used to detect unauthorized input before it is passed to the LDAP query.

Example

In the below example a query is constructed to validate a user's credentials for the purpose of logging in.

String filter = "(&(USER = " + user_name + ") (PASSWORD = " + user_password + "))";

In a typical use case, a user would provide their user credentials and this filter would be used to validate these credentials. However, an attacker can enter a crafted input for the variable user_name such as johnDoe)(&) and any value for password. The finished query will then become (&(USER = johnDoe)(&))(PASSWORD = pass)). Only the first portion of this query is processed by the LDAP server (&(USER = johnDoe)(&), which always evaluates to true allowing the attacker to gain access to the system without needing to provide valid user credentials.

See also

References

  1. ^ a b Alonso, J. M.; Bordon, R.; Beltran, M.; Guzman, A. (1 November 2008). "LDAP injection techniques". 2008 11th IEEE Singapore International Conference on Communication Systems. pp. 980–986. doi:10.1109/ICCS.2008.4737330. ISBN 978-1-4244-2423-8.
  2. ^ a b "The Web Application Security Consortium / LDAP Injection". projects.webappsec.org. Retrieved 9 December 2016.
  3. ^ Varanasi, Balaji (2013-11-26). Practical Spring LDAP: Enterprise Java LDAP Development Made Easy. Apress. p. 97. ISBN 978-1-4302-6398-2. Retrieved 9 December 2016.

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.