LDAP is an abbreviation created from the initials of Lightweight Directory Access Protocol. It is a lightened version of the protocol used for directory access by the seven-layer OSI model defined by the X.500 standard. LDAP ensures that many services such as personnel records, phone books, and address book are provided in a single center in companies.
PCI DSS Requirement 6.5.1 requires that your organization’s applications are not affected by injection flaws, especially SQL injection. Malicious people commonly use injection defects to compromise applications.
See Also: What is SQL Injection and How to Prevent It?
LDAP Injection is an attack that is used to manipulate web-based apps that create user-input based LDAP expressions. When an application cannot correctly clear user login, it is possible to change LDAP statements using a Local Proxy.
LDAP Injection may result in the execution of arbitrary commands such as allowing unauthorized queries and changing the LDAP tree content. It is possible to apply the same advanced exploitation techniques available in SQL Injection to LDAP Injection in a similar way.
In order to inject and execute queries on Lightweight Directory Access Protocol servers, LDAP injection attacks exploit input validation vulnerabilities. For many organizations’ daily operations, LDAP services are important, and an effective LDAP injection attack may provide useful information for further attacks on databases and internal applications.
Attackers can extract sensitive information from an organization’s LDAP directory by providing user input explicitly created for a vulnerable application.
What is LDAP Injection?
As with SQL injection attacks, LDAP injection vulnerabilities occur when an application adds uncleaned user input directly to an LDAP statement. Attackers can create the appropriate string values using LDAP filter syntax, causing the LDAP server to execute various queries and other LDAP expressions.
If combined with incorrectly configured or compromised permissions, LDAP injections can allow attackers to modify the LDAP tree and modify business-critical information.
Directory services are accessed with the LDAP protocol. A typical LDAP query has the following structure and consists of a search filter followed by the LDAP server address and the expected properties to be returned:
<LDAP://ldapserver>; (givenName = Ali); cn, telephoneNumber, Department
If the LDAP query displays the results, it is possible to inject more features to be displayed. For example, if the search filter criteria in the above query is created using user input, the following entry:
Bob); mail, cn;
It causes the following query expression to occur:
<LDAP://ldapserver>; (givenName = Bob); mail, cn;); cn, telephoneNumber, department
In this way, the information of the “mail” feature is also displayed. Also, an empty column titled “cn;); cn” is created. Since commas, separate attributes in LDAP queries, expressions between two commas are perceived as attribute names.
Active Directory fails when requested for features that are not available but tolerates if the attribute name is a valid name followed by a semicolon. So at the end of the injected text, “cn;” is entered.
Also, as a query filter, “*” signifies “wildcard” and if “*” was used instead of “Bob”, all records could be displayed.
Usually, no meaningful error message is returned when invalid input is injected into LDAP queries. An indication that the LDAP injection vulnerability exists is that a search function returns a server error, such as an HTTP 500 status code, after incorrect input.
What Are The Methods Of Preventing LDAP Injection?
LDAP injection is a vulnerability where queries are generated from untrusted input without prior validation or cleanup. LDAP uses queries generated from predictions that involve the use of special characters.
Metacharacters control the meaning of the query; therefore, it affects the type and number of objects retrieved from the underlying directory. If an attacker could submit input containing these control characters, they could modify the query and intended behavior.
As with many other injection attacks, proper login validation and encoding at the application layer is critical to eliminating LDAP injection vulnerabilities. Every user input used in LDAP queries must be sterilized according to application requirements and all LDAP special characters such as ()! | & * must be encoded to ensure that they are safely escaped.
For maximum security, a ready-made framework or library should avoid special characters and combine LDAP filters.
LDAP injection attacks occur primarily due to incomplete or flawed login validation. Validation consists of rejecting malformed input or removing malicious LDAP check characters before including untrusted input in a query.
To secure your organization from the LDAP Injection vulnerability, here are some methods you can use:
- Require login verification. Before including an untrusted entry in LDAP queries, the entry must be validated against a whitelist of allowed strings or characters. This verification should always be done on the server-side, even if the input has already been validated on the client-side.
- Avoid all variables by using the correct LDAP encoding functionality. Avoid user-controlled input strings, as any control characters in the input do not change the LDAP search filter’s intended meaning. For example, in a Java application, metacharacters in an LDAP query can be prepared with backslashes as escape characters. With this method, untrusted entries are added to a search filter and added as literal string values, not as LDAP predicts.
- Strict directory authorization. This defense technique aims to minimize the impact of any injection attempts by using the principle of least privilege. The LDAP account used to mount the directory in an application must have limited access. With this approach, only authorized LDAP queries can be executed against the LDAP server.
Wherever possible, programs should avoid copying user-controllable data into LDAP queries. If this is inevitable, to prevent LDAP injection attacks, the data must be strongly checked.
In most cases, it is appropriate only to allow short alphanumeric strings to be copied into queries, and all other entries should be rejected. At a minimum, an entry containing any LDAP metacharacters should be denied; The characters that should be blocked are (); , * | & = and space.
When developing software, your team should make sure they are not affected by LDAP injection. Be sure to write test scripts for LDAP injection as part of your secure code development process.
To verify compliance with PCI DSS Requirement 6.5.1 and protection from injection errors, an assessor will review your policies and procedures regarding application development and interview responsible personnel.
There are many useful articles on Owasp’s website, such as weaknesses in web applications, how vulnerabilities occur, how to exploit and prevent these vulnerabilities. You can get more detailed information about LDAP Injection from the links below.