An attacker manipulates or crafts an LDAP query for the purpose of
undermining the security of the target. Some applications use user input to
create LDAP queries that are processed by an LDAP server. For example, a
user might provide their username during authentication and the username
might be inserted in an LDAP query during the authentication process. An
attacker could use this input to inject additional commands into an LDAP
query that could disclose sensitive information. For example, entering a *
in the aforementioned query might return information about all users on the
system. This attack is very similar to an SQL injection attack in that it
manipulates a query to gather additional information or coerce a particular
return value.
Attack Execution Flow
Explore
Survey application:
The attacker takes an inventory of the entry
points of the application.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Spider web sites for all available
links
env-Web
2
Sniff network communications with
application using a utility such as
WireShark.
env-All
Outcomes
ID
Type
Outcome Description
1
Success
At least one data input to
application identified.
2
Failure
No inputs to application
identified. Note that just because no inputs are
identified does not mean that the application will
not accept any.
Experiment
Determine user-controllable input
susceptible to LDAP injection::
For each user-controllable input that the attacker
suspects is vulnerable to LDAP injection, attempt to
inject characters that have special meaning in LDAP
(such as a single quote character, etc.). The goal
is to create a LDAP query with an invalid
syntax
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Use web browser to inject input through text
fields or through HTTP GET parameters
env-Web
2
Use a web application debugging tool such as
Tamper Data, TamperIE, WebScarab,etc. to modify
HTTP POST parameters, hidden fields, non-freeform
fields, or other HTTP header.
env-Web
3
Use modified client (modified by reverse
engineering) to inject input.
Attacker recieves an error message from
target indicating a problem with the LDAP
Query
env-Web env-CommProtocol
env-ClientServer
3
Negative
Server sends a specific error message that
indicates programmatic parsing of the input data
(e.g. NumberFormatException)
env-Web env-CommProtocol
env-ClientServer
Outcomes
ID
Type
Outcome Description
1
Success
At least user controllable data
input to application
identified.
2
Failure
No inputs susceptible to
injection into the application were
identified..
Security Controls
ID
Type
Security Control Description
1
Detective
Search for and alert
on unexpected LDAP constructs in application logs,
e.g. (email=*))
etc.).
2
Preventative
Input validation of
user-controlled data before including it in a LDAP
query
Try to exploit the LDAP injection
vulnerability:
After determining that a given input is vulnerable
to LDAP Injection, hypothesize what the underlying
query looks like. Possibly using a tool, iteratively
try to add logic to the query to extract information
from the LDAP, or to modify or delete information in
the LDAP.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Add logic to the LDAP query to change the
meaning of that command. Automated tools could be
used to generate the LDAP injection
strings.
env-Web
2
Use a web application debugging tool such as
Tamper Data, TamperIE, WebScarab,etc. to modify
HTTP POST parameters, hidden fields, non-freeform
fields, or other HTTP header.
Probing via LDAP syntax injection was
successful in identifying vulnerable input.
env-Web env-CommProtocol
env-ClientServer
3
Negative
Probing via LDAP syntax injection failed in
identifying vulnerable input.
env-Web env-CommProtocol
env-ClientServer
Outcomes
ID
Type
Outcome Description
1
Success
Attacker achieves goal of
unauthorized information access,
etc.
2
Failure
Attacker unable to exploit LDAP
Injection vulnerability.
Security Controls
ID
Type
Security Control Description
1
Detective
Search for and alert
on unexpected LDAP constructs in application logs,
e.g. (email=*))
etc.).
2
Preventative
Input validation of
user-controlled data before including it in a LDAP
query
Attack Prerequisites
The target application must accept a string as user input, fail to
sanitize characters that have a special meaning in LDAP queries in the user
input, and insert the user-supplied string in an LDAP query which is then
processed.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
PowerDNS before 2.9.18, when running with an LDAP backend, does not
properly escape LDAP queries, which allows remote attackers to cause a
denial of service (failure to answer ldap questions) and possibly
conduct an LDAP injection attack.
Related Vulnerabilities
CVE-2005-2301
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Medium
Solutions and Mitigations
Strong input validation - All user-controllable input must be validated
and filtered for illegal characters as well as LDAP content.
Use of custom error pages - Attackers can glean information about the
nature of queries from descriptive error messages. Input validation must be
coupled with customized error pages that inform about an error without
disclosing information about the LDAP or application.
Attack Motivation-Consequences
Scope
Technical Impact
Note
Availability
DoS: crash / exit /
restart
Availability
DoS: instability
Integrity
Modify files or
directories
Confidentiality
Read files or
directories
Integrity
Modify application
data
Confidentiality
Read application
data
Authorization
Execute unauthorized code or
commands
Accountability
Authentication
Authorization
Non-Repudiation
Gain privileges / assume
identity
Access_Control
Authorization
Bypass protection
mechanism
Injection Vector
User-controllable input used as part of LDAP queries: This may include input
fields on web forms, data in user-accessible files or even command-line
parameters.
Payload
LDAP statement intended to reveal information or run malicious code
Activation Zone
Back-end LDAP directory tree
Payload Activation Impact
Description
When malicious LDAP content is executed by the LDAP engine, it can lead to
arbitrary queries being executed, causing disclosure of information,
unauthorized access, privilege escalation and possibly system
compromise.
Special characters in user-controllable input must be escaped before use
by the application.
Custom error pages must be used to handle exceptions such that they do not
reveal any information about the architecture of the application or the LDAP
structure.
Related Security Principles
Reluctance to Trust
Defense in Depth
Failing Securely
Related Guidelines
Handle All Errors Safely
Never Use Input as Part of a Directive to any Internal Component
Description
