LDAP Injection is a threat that exploits applications that construct LDAP queries from user-supplied input. LDAP injection may result in leaking of sensitive/private information in the LDAP repository.
Web applications often use LDAP as the backend user profile repository. Web applications often take user input (taken out of the HTTP request query parameters or HTML form fields) and incorporate it in an LDAP query, which is then sent to the backend LDAP server. The query results are then processed by the application and sometimes displayed to the user.
User Profile Retrieval Example
To understand how LDAP injection works, let’s take a look at a user profile retrieval example.
Suppose we have the following LDAP query for retrieving user profiles for all users in group dept1:
ldapsearch -h 22.214.171.124 -p 389 -D "cn=directory manager" -w changeme -b "ou=People,dc=example,dc=com" ou=dept1
Where “dept1” are user input taken from a hidden HTML form field to indicate the group the logged-in user belongs to.
The web application will run the above LDAP search and display the user profile information for all retrieved users from group dept1 .
Attacker’s Exploitation Step
The attacker can exploit the above logic by specifying * instead of “dept1” as user input so that the constructed LDAP query becomes:
ldapsearch -h 126.96.36.199 -p 389 -D "cn=directory manager" -w changeme
-b "ou=People,dc=example,dc=com" ou=*
This will return all user profiles in the LDAP store, which is not what the attacker is authorized to view.