Lightweight Directory Access Protocol (LDAP) injections are arguably the most dangerous type of injection attack. The data accessed via LDAP is usually valuable and confidential.
LDAP is commonly used in web applications for authentication, authorisation, and storing and retrieving confidential data. Users typically utilise this protocol to manage user accounts, organise groups of users within an organisation, and synchronise files across multiple systems. Consequently, an attack on LDAP is an assault on the backbone of a web application.
The OWASP (Open Web Application Security Project) defines an LDAP injection as an attack that exploits web apps using LDAP for authentication and authorisation purposes. An LDAP injection attack begins in an insecure app with un-sanitised LDAP statements input by a malicious user. These injected queries can then execute arbitrary commands, such as granting unauthorised permissions to modify LDAP tree content.
Understanding LDAP injection
LDAP injection attacks take many forms. A bad actor may try to view usernames and passwords stored in the database, add themselves as users with admin privileges, or bypass user authentication altogether. LDAP injection attacks can wreak havoc on companies. The LDAP allows access to names, usernames, passwords, email addresses, phone numbers, job titles, and user permissions. These are all at risk when bad actors exploit LDAP injection vulnerabilities.
The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitise or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries.
For example, let’s say a piece of code validates a username by checking whether the field is empty:
uName = Request.QueryString["user"];
Following this command, an if-statement returns a message asking the user to specify a valid value if the uName entry is null or empty. If the field has an entry, the code initialises the uName value to perform an LDAP query:
DirectorySearcher s = new DirectorySearcher();
s.Filter = "(&(samAccountName=" + uName + "))"
This is critically insufficient and leaves the LDAP server in the hands of malicious agents. Someone could perform LDAP injection using the asterisk (*) wildcard character via the web app’s URL:
http://webapp/default.aspx?user=*
The resulting LDAP statement (samAccountName=*) will return every object with the appropriate samAccountName attribute.
This simple example illustrates how LDAP injections work. Below are more examples of LDAP injection attacks using OR and AND operators, which are amongst the most common types.
The OpenLDAP is a free, open-source implementation of LDAP. In this example, let’s assume an OpenLDAP server’s login page employs the usual username and password pair.
When a user enters their credentials, the page sends the following LDAP query to the server:
(&(USER=uName)(PASSWORD=pwrd))
If an attacker knows a valid username, they can inject the following string into the user field:
validUname)(&))
Now, anything they write in the password field will bypass the security check. The LDAP statement that results is:
(& (USER=validUname)(&))(PASSWORD=anyString))
Due to the way it’s structured, OpenLDAP only processes the first filter: (& (USER=validUname)(&). OpenLDAP will see that the username is valid and that the second filter is a boolean AND, which returns TRUE. This ultimately bypasses the login page.
One typical use of the OR operator in an LDAP injection is in a resources explorer, which shows available resources in a system. Let’s examine this proper query to check available resources.
(|(type=R1)(type=R2))
In this statement, R1 and R2 represent resource types. A malicious user can inject the following string into the LDAP statement:
1)(uid=*)
Now, this is the completed query:
(|(type=R1)(uid=*))(type=R2))
Once again, this exploits how the LDAP server processes filters and returns all R1-type resources in the database.
Another common attack can elevate privileges by exploiting the AND operator. Let’s assume a basic security level lets users access documents:
(&(directory=docs)(security_level=basic))
A malicious actor may enter this LDAP injection:
docs)(security_level=*))(&(directory=docs
This creates the following filter.
(&(directory=docs)(security_level=*))(&(directory=docs)(security_level=low))
The wildcard operator and the AND cause the LDAP server to ignore the second filter. Consequently, the attacker can access all security levels.
Fortunately, the most effective ways to mitigate LDAP injection vulnerabilities are straightforward and usually readily accessible:
- Sanitising inputs or escaping special characters. Sanitising and validating user inputs fixes the vulnerability that enables LDAP injections. However, multi-party systems and complex interconnected system integrations complicate the sanitising and validating of user inputs.
- Apply the principle of least privilege for LDAP access. Only allow each user to have the least privilege necessary at every point of interaction with the LDAP server. Additionally, if users require elevated privileges for some queries, ensure these expire after a brief period.
- Create an allowed list for inputs. This is an extension of user input validation beyond in-code cheques. Checking user input at the source—as it’s entered into the field—adds a layer of validation for user input before forming the query in the application.
- Use size limits for incoming requests. As the examples above demonstrate, LDAP injections tend to be long strings. This is especially true for advanced strategies such as blind LDAP injections, attribute discovery, and booleanization. Therefore, adding a size limit for input mitigates potential attack vectors.
- Set up timeout limits. More complex LDAP injection attacks require a period of discovery in which the malicious agent discovers what they can and cannot do. The attacker can’t launch a complicated attack if they’re kicked off the LDAP server when it times out.
Finally, cloud –security platforms with application security capabilities like Trend Cloud One can identify potential vulnerabilities and implement remediation steps in real time. These automated and advanced tools are especially critical in multi-party setups where organisations rely on third-party providers for additional functionality and integrations.
Trend Micro’s cyber risk management solutions have many features that reduce the risk of an LDAP injection, including:
- Attack surface management with Attack Surface Discovery, which continuously discovers known, unknown, internal, and external assets to identify potential attack vectors.
- Automated risk scoring and trending to prioritise security initiatives.
- Intelligent recommendations that can be quickly automated across the enterprise to lower risk.
- XDR (Extended Detection and Response) collects detection data and provides insights into threat activity and the effectiveness of defences.
However, Trend Cloud One goes even further. With robust, embedded security capabilities specifically designed for containerised apps and APIs, you can:
- Discover vulnerabilities early. Real-time visibility into malicious user behaviour, exploits, attack sources, and more enables the prioritisation of remediation efforts. Trend Cloud One is specifically suited to combat LDAP injections, amongst other runtime attacks.
- Perform full analyses. Diagnostics from Trend Cloud One vulnerability scans can pinpoint vulnerabilities down to a single line of code. Simultaneously, Trend Cloud One filters out false positives or irrelevant data points. Moreover, it all happens inside the application, reducing latency.
- Upgrade and patch without issues. Dramatically reduce the performance impact of automatically patching vulnerabilities and upgrading frameworks.
Trend Cloud One lets organisations build more securely and receive faster results in the context of their application. It automates cloud runtime protection for Python without requiring changes to application code, making cloud deployments easy.
Conclusion
Many directory services use LDAP to streamline their operations, including Microsoft Active Directory, Novell E-Directory, and RedHat Directory Services. Typically, these include directories for the domain, mailboxes for distribution, remote access, and more, each with individual authentication requirements. Instead, LDAP enables a single centralised directory of information. Centralization reduces complexity and improves security through measures like single sign-on (SSO).
However, a successful LDAP injection attack can wipe out all these advantages. That’s why effective preventative measures are crucial. These include implementing input sanitisation and validation, the principle of least privilege, access control lists, and size and timeout limits for incoming requests.
Cloud security platforms with cloud-native application protection capabilities like Trend Cloud One , organisations can stay vigilant against malicious attackers looking to gain unauthorised access to their systems. These measures ensure organisations have the greatest possible protection from LDAP injection attacks.