LDAP and LDAP Injection/Prevention
Last Updated :
24 Jan, 2023
Lightweight Directory Access Protocol
LDAP (Lightweight Directory Access Protocol) is a software protocol that you have to be used in colleges and startup for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users
My college LDAP:
My college Secured LDAP
Major Operations which can be performed in this protocol
- Add : add new data in database
- Bind (authenticate) : all the authentication and encryption is done in this section
- Delete : Delete data from database
- Search and Compare : The Search operation is used to both search for and read entries.
- Modify : The MODIFY operation is used by LDAP clients to request that the LDAP server make changes to existing entries
- Unbind : close the connection.
Simple directory entry with several attributes :
dn: cn=akash sharan, dc=example, dc=com
objectClass: organizationalStudent
cn: akash sharan
An LDAP uniform resource identifier (URI) scheme exists, which clients support in varying degrees, and servers return in referrals and continuation references.
LDAP URI syntax :
ldap://host:port/DN?attributes?scope?filter?extensions
ldap://ldap.example.com/cn=akash%20sharan, dc=example, dc=com
host - IP address
DN - is the distinguished name to use as the search base.
for example - cn=John Doe, dc=example, dc=com
Attributes - is a comma-separated list of attributes to retrieve.
Scope specifies the search scope and can be "base"
(the default), "one" or "sub" classes.
Filter is a search filter.
Extensions are extensions to the LDAP URL format.
LDAP Injection
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection.
Normal Operation:
Operation with Code Injection:
LDAP injection examples:
For user search, Following code is responsible to take actions
Insert the username
The LDAP query which will be executing in backend
String ldapSearchQuery = "(cn =" + $userName + ")" ;
System.out.println(ldapSearchQuery);
|
If the variable $userName is not validated, it could be possible to accomplish LDAP injection, as follows:
If a user puts “*” on box search, the system may return all the usernames on the LDAP base. If a user puts “akash) (| (password = * ) )”, it will generate the code below revealing akash’s password ( cn = akash ) ( | (password = * ) ).
Prevention
References
https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://www.faqs.org/rfcs/rfc2254.html
e comments if you find anything incorrect, or you want to share more information about the topic discussed above.
Like Article
Suggest improvement
Share your thoughts in the comments
Please Login to comment...