Input Validation / LDAP Injection

Description

LDAP Injection (CWE-90) is a type of injection attack in which malicious code is inserted into LDAP statements via web form input. It occurs when user input is not sufficiently validated and is then used to construct LDAP statements that are passed to an LDAP server for execution. This type of attack can be used to retrieve, modify, or delete sensitive data from an LDAP server, as well as to gain access to unauthorized system resources. According to the OWASP Testing Guide, LDAP injection can be identified by testing all user input fields with malicious strings.

Risk

LDAP injection is a serious risk to organizations that use LDAP authentication. If successful, attackers can gain access to sensitive data and system resources, modify information stored in the LDAP server, or delete data. Additionally, if an attacker is able to gain access to the LDAP server, they may be able to escalate their privileges to gain access to other systems.

Solution

The best way to prevent LDAP injection attacks is to properly validate user input. All user input must be sanitized and verified against a whitelist of accepted values. Additionally, all LDAP statements should be generated using parameterized queries, which prevent attackers from inserting malicious code into the statement.