An LDAP injection is an attack that exploits vulnerable Web-based applications that construct LDAP statements based on user input. If a program fails to sanitize user input, attackers can modify LDAP statements using a local proxy. That could let them execute arbitrary commands, such as granting permissions to unauthorized queries and content modification inside the LDAP tree.
An LDAP injection attack often uses the same exploitation techniques employed in SQL injection attacks.
Read More about “LDAP Injection”
To understand LDAP injection, let’s discuss some basic concepts first.
What Is LDAP?
LDAP, short for “Lightweight Directory Access Protocol (LDAP),” is a common software protocol that allows any network-connected user to find resources like other individuals, files, and devices connected to the said network.
LDAP is a directory service employed in intranets. It can also be used to store usernames and passwords as part of a single sign-on (SSO) system. An SSO system, of course, lets users access any resource on a network after they sign in to a connected device. An example would be your office network. Once you log in to your computer, you instantly get signed in to all network-connected devices. For example, you can print documents, chat with workmates, and access applications.
How Does LDAP Injection Work?
In an LDAP injection attack, the threat actors can enter the incorrect username-password combination into a network-connected computer and still successfully log in because the LDAP server doesn’t sanitize user inputs. The diagram below shows how an LDAP injection works.
Note the difference between the login credentials used by the legitimate user on the left and the attacker on the right.
What Are the Types of LDAP Injection Attacks?
There are several kinds of LDAP injection attacks, including:
- Authentication bypass: In this attack, the threat actors configure the LDAP server to accept an ampersand (&) instead of missing numbers or other characters in the username and password input fields during the login process. That lets them access all the network-connected resources available to the compromised account’s owner.
- Elevation of access privileges: In this LDAP injection attack, threat actors use unsanitized user inputs to gain unauthorized access to information reserved for privileged users. An example of this type is shown by our example shown in the diagram above.
- Resource disclosure: In this kind of attack, attackers take advantage of LDAP systems that let any logged-in user search for some objects like confidential files. Secure systems typically only return publicly available results. But LDAP injection-affected ones list all available resources, even those marked “private.” As such, the threat actors can look for database files, and the directory would return all results, even those that the compromised account’s owner wouldn’t usually see, such as employee compensation files.
- Blind attacks: Implementing this LDAP injection attack requires threat actors to use binary. They only obtain a true or false response from the LDAP server. They could thus find out if a particular resource, such as a database file, exists. They can then devise other ways to obtain the said resource.
How Can You Avoid Falling Prey to an LDAP Injection Attack?
Here are some best practices to prevent LDAP injection attacks.
- Sanitize inputs and check variables: This is the most effective way to thwart LDAP injection attacks. Configure your LDAP server to filter special characters often used to create malicious injections, including & (for “and”), | (straight slash for “or”), ! (exclamation point for “not”), and the operators = (equal sign), >= (greater than or equal to), (less than or equal to) <=, and ~= (approximately equal to). All user inputs should be checked against a list of valid values in the application layer even before the LDAP server receives the query.
- Don’t construct filters by concatenating strings: Concatenating strings means joining characters from end to end. In English, for instance, “hotdog” is the concatenated form of “hot” and “dog.”
- Use access control on the LDAP server: Enforce strict user access management policies. Each user should only be allowed to access files, devices, and applications he or she needs to perform his or her job.
- Restrict user requests on the LDAP server: Don’t allow all users to perform queries on the LDAP server. Doing this can help organizations prevent resource disclosure. You can also impose a size limit for responses to user queries. Or you can set a timeout for searches. Someone searching the entire server could be out to steal confidential information.
LDAP injection attacks, such as the Log4j attacks, can lead to serious data breaches. But the vulnerability can be addressed by implementing the best practices above.