LDAP Injection

LDAP Injection is a server-side attack that occurs when an application constructs LDAP queries using unsanitized user input. An attacker can manipulate these queries to alter their intended logic, similar to SQL Injection but targeting LDAP directory services. This can lead to unauthorized access to directory data, including user credentials, organizational structures, and other sensitive records stored in the LDAP tree.

By injecting LDAP metacharacters into input fields, an attacker can modify the structure of LDAP filters to bypass authentication, retrieve unauthorized directory entries, or alter data within the LDAP tree. If the application uses LDAP for login verification, an attacker can craft an always-true filter to authenticate without valid credentials. Because the manipulated query runs with the same permissions as the application, the attacker can access or modify any data the application is authorized to reach.

Avoid constructing LDAP queries by directly concatenating user-controllable data. Use parameterized LDAP queries or framework-provided APIs that separate filter logic from user input.

If dynamic query construction is unavoidable, strictly validate all input before including it in an LDAP filter. Allow only short alphanumeric values where possible. Reject or escape LDAP metacharacters including (, ), ;, ,, *, |, &, =, and whitespace.

Use a well-maintained library for LDAP filter escaping, such as the OWASP ESAPI or the escaping utilities provided by your LDAP SDK. Apply the principle of least privilege to the LDAP service account used by the application so that even a successful injection has limited impact.