LDAP and LDAP Injection/Prevention

Lightweight Directory Access Protocol

LDAP (Lightweight Directory Access Protocol) is a software protocol that you have to be used in colleges and startup for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users



My college LDAP:

My college Secured LDAP

Major Operations which can be performed in this protocol

  • Add : add new data in database
  • Bind (authenticate) : all the authentication and encryption is done in this section
  • Delete : Delete data drm database
  • Search and Compare : The Search operation is used to both search for and read entries.
  • Modify : The MODIFY operation is used by LDAP clients to request that the LDAP server make changes to existing entries
  • Unbind : close the connection.

Simple directory entry with several attributes :

 dn: cn=akash sharan, dc=example, dc=com
 objectClass: organizationalStudent
 cn: akash sharan

An LDAP uniform resource identifier (URI) scheme exists, which clients support in varying degrees, and servers return in referrals and continuation references.

LDAP URI syntax :

ldap://host:port/DN?attributes?scope?filter?extensions
ldap://ldap.example.com/cn=akash%20sharan, dc=example, dc=com

host - IP address
DN - is the distinguished name to use as the search base.
for example - cn=John Doe, dc=example, dc=com
Attributes - is a comma-separated list of attributes to retrieve.
Scope specifies the search scope and can be "base" 
(the default), "one" or "sub" classes.
Filter is a search filter.
Extensions are extensions to the LDAP URL format.

LDAP Injection

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection.

Normal Operation:

LDAP-Diagram

Operation with Code Injection:


LDAP-Code-Injection-Diagram

LDAP injection examples:
For user search, Following code is responsible to take actions

Insert the username

The LDAP query which will be executing in backend

filter_none

edit
close

play_arrow

link
brightness_4
code

String ldapSearchQuery = "(cn =" + $userName + ")";
System.out.println(ldapSearchQuery);

chevron_right


If the variable $userName is not validated, it could be possible to accomplish LDAP injection, as follows:

If a user puts “*” on box search, the system may return all the usernames on the LDAP base. If a user puts “akash) (| (password = * ) )”, it will generate the code below revealing akash’s password ( cn = akash ) ( | (password = * ) ).

Prevention

  • Input Validation : All user-end input must be sanitized. It should be free of suspicious characters and strings that can be malicious.There are OWASP Api present which can help in defense to these vulnerability like:
    • esapi-java
    • C# AntiXSS functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool).

    I will provide you Escaping the search filter thought for above search query:

    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    public static final String escapeLDAPSearchFilter(String filter)
    {
        // If using JDK >= 1.5 consider using StringBuilder
        StringBuffer sb = new StringBuffer(); 
      
        for (int i = 0; i < filter.length(); i++) {
            char curChar = filter.charAt(i);
            switch (curChar) {
            case '\\':
                sb.append("\\5c");
                break;
            case '*':
                sb.append("\\2a");
                break;
            case '(':
                sb.append("\\28");
                break;
            case ')':
                sb.append("\\29");
                break;
            case '\u0000':
                sb.append("\\00");
                break;
            default:
                sb.append(curChar);
            }
        }
        return sb.toString();
    }

    chevron_right

    
    

  • Safe Configuration : Safeguarding of sensitive information while dealing with permissions on user objects. It is all the more important when the directory is used by application for login process.Limit and restriction should be taken while setting up ldap in an organisation.

References
https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://www.faqs.org/rfcs/rfc2254.html

This article is contributed by Akash Sharan. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

e comments if you find anything incorrect, or you want to share more information about the topic discussed above.



My Personal Notes arrow_drop_up

Improved By : ManasChhabra2



Article Tags :
Practice Tags :


1


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.