Input Validation / LDAP Injection
LDAP Injection (CWE-90) is a type of injection attack in which malicious code is inserted into LDAP statements via web form input. It occurs when user input is not sufficiently validated and is then used to construct LDAP statements that are passed to an LDAP server for execution. This type of attack can be used to retrieve, modify, or delete sensitive data from an LDAP server, as well as to gain access to unauthorized system resources. According to the OWASP Testing Guide, LDAP injection can be identified by testing all user input fields with malicious strings.
LDAP injection is a serious risk to organizations that use LDAP authentication. If successful, attackers can gain access to sensitive data and system resources, modify information stored in the LDAP server, or delete data. Additionally, if an attacker is able to gain access to the LDAP server, they may be able to escalate their privileges to gain access to other systems.
The best way to prevent LDAP injection attacks is to properly validate user input. All user input must be sanitized and verified against a whitelist of accepted values. Additionally, all LDAP statements should be generated using parameterized queries, which prevent attackers from inserting malicious code into the statement.
The following example code is vulnerable to LDAP injection (CVE-2019-1853):
String query = "SELECT * FROM users WHERE username = '" + username + "'"; Statement statement = connection.createStatement(); ResultSet results = statement.executeQuery(query);
In this example, the
username variable is not properly validated and is used to construct the LDAP query. An attacker can insert malicious code into the
username variable, which will be executed by the LDAP server.