LDAP and LDAP Injection/Prevention

Last Updated : 24 Jan, 2023

Lightweight Directory Access Protocol

LDAP (Lightweight Directory Access Protocol) is a software protocol that you have to be used in colleges and startup for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users

My college LDAP:

My college Secured LDAP

Major Operations which can be performed in this protocol

Add : add new data in database
Bind (authenticate) : all the authentication and encryption is done in this section
Delete : Delete data from database
Search and Compare : The Search operation is used to both search for and read entries.
Modify : The MODIFY operation is used by LDAP clients to request that the LDAP server make changes to existing entries
Unbind : close the connection.

Simple directory entry with several attributes :

 dn: cn=akash sharan, dc=example, dc=com
 objectClass: organizationalStudent
 cn: akash sharan

An LDAP uniform resource identifier (URI) scheme exists, which clients support in varying degrees, and servers return in referrals and continuation references.

LDAP URI syntax :

ldap://host:port/DN?attributes?scope?filter?extensions

ldap://ldap.example.com/cn=akash%20sharan, dc=example, dc=com

host - IP address
DN - is the distinguished name to use as the search base.
for example - cn=John Doe, dc=example, dc=com
Attributes - is a comma-separated list of attributes to retrieve.
Scope specifies the search scope and can be "base" 
(the default), "one" or "sub" classes.
Filter is a search filter.
Extensions are extensions to the LDAP URL format.

LDAP Injection

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection.

Normal Operation:

LDAP-Diagram

Operation with Code Injection:

LDAP-Code-Injection-Diagram

LDAP injection examples:
For user search, Following code is responsible to take actions

Insert the username

The LDAP query which will be executing in backend

String ldapSearchQuery = "(cn =" + $userName + ")"; 
System.out.println(ldapSearchQuery); 

If the variable $userName is not validated, it could be possible to accomplish LDAP injection, as follows:

If a user puts “*” on box search, the system may return all the usernames on the LDAP base. If a user puts “akash) (| (password = * ) )”, it will generate the code below revealing akash’s password ( cn = akash ) ( | (password = * ) ).

Prevention

Input Validation : All user-end input must be sanitized. It should be free of suspicious characters and strings that can be malicious.There are OWASP Api present which can help in defense to these vulnerability like:

esapi-java
C# AntiXSS functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool).

I will provide you Escaping the search filter thought for above search query:

public static final String escapeLDAPSearchFilter(String filter) 
{ 
    // If using JDK >= 1.5 consider using StringBuilder 
    StringBuffer sb = new StringBuffer();  
  
    for (int i = 0; i < filter.length(); i++) { 
        char curChar = filter.charAt(i); 
        switch (curChar) { 
        case '\\': 
            sb.append("\\5c"); 
            break; 
        case '*': 
            sb.append("\\2a"); 
            break; 
        case '(': 
            sb.append("\\28"); 
            break; 
        case ')': 
            sb.append("\\29"); 
            break; 
        case '\u0000': 
            sb.append("\\00"); 
            break; 
        default: 
            sb.append(curChar); 
        } 
    } 
    return sb.toString(); 
} 

Safe Configuration : Safeguarding of sensitive information while dealing with permissions on user objects. It is all the more important when the directory is used by application for login process.Limit and restriction should be taken while setting up ldap in an organisation.