Injection flaw occur when untrusted data is sent to an interpreter as part of a command or query. To explain in detail Injection flaw occurs when web application sends user-supplied data to other apps such as: Database, Operating System, LDAP, and Web Services, attacker “inject” their malicious code to run instead of actual code to access unauthorized data, or completely take over remote application. Injection flaws are classified as SQL, OS, and LDAP injection.
In this blog we will discuss about LDAP Injection which is the part of OWASP TOP 10 Web application Vulnerability – A1 Injection.
What is LDAP?
Lightweight Directory Access Protocol (LDAP) is a widely used protocol for accessing directory services. Directories provide a set of attributes about people that are organized in a hierarchical manner, for example the phone directory.
LDAP injection attacks are based on similar techniques to SQL injection attacks. Therefore, the underlying concept is to take advantage of the parameters introduced by the user to generate the LDAP query. A secure Web application should sanitize the parameters introduced by the user before constructing and sending the query to the server. In a vulnerable environment these parameters are not properly filtered and the attacker can inject malicious code.
Taking into consideration the structure of the LDAP filters given by the RFC 4515 and the implementations of the most widely used LDAP Directory Services: Only when the parameters introduced by the user are not filtered and when the normal queries begin with a logical operator AND and OR code injection attacks can be performed.
Therefore, two kinds of injection can be generated depending on the environment:
- AND LDAP Injection.
- OR LDAP Injection
- Unintentional information disclosure – The unauthorized access to information which is normally inaccessible by the attacker.
- Elevation of privilege through manipulation of query results – The attacker can systematically find out LDAP query structure by injecting specially crafted LDAP search filter characters. Once the query structure is determined, the attacker can generate more attacks to access sensitive information by injecting valid search filters.
- Corruption of LDAP data store through manipulation of updates – Similarly the LDAP directory access control flaw can be exploited by manipulating directory tree’s user object attributes to gain unauthorized access to proprietary data.
- Ensure that the input parameters of the application are properly validated and checked for unexpected input, including null or empty values.
- Strings and types of characters that can be passed as application parameters should limit the by configuring native application filters.
- Implement tighter access control on LDAP directory while configuring user objects of the directory. Administrator must fully understand how each object class will be used and then appropriately grant the access.
- Escape all variables using the right LDAP encoding function
- Use Frameworks that Automatically Protect from LDAP Injection
- Least Privilege and White List Input Validation