Lightweight Directory Access Protocol (LDAP) is an attack in which malicious codes are injected into the web application to destroy its functioning. The attack can be used to retrieve sensitive information like database credentials or to modify requests presented to the LDAP data store. The attack destroys the security vulnerabilities and injects malicious queries to the LDAP server. The attack can easily provide confidential and database information to the hacker.
What are LDAP servers?
LDAP servers store sensitive information like users, passwords, credentials, and other sensitive information. It can also be said that LDAP servers have the core information of an application. This information is shared with other applications working on the same network to communicate with other applications. If a hacker breaks into an LDAP server then he can easily gain all the sensitive information about the application along with information about the database. Clients can also query an LDAP server to gain certain information. To do this a client has to send a request for directory entry to match specific filters. If the entry matches the LDAP search filter, then one can easily gain the required information.
How does an LDAP Injection Works?
LDAP injection occurs when an application inserts malicious code or input directly into the LDAP statement. It can also be defined as a construction of query from untrusted input without sanitizing the data. The Meta characters used in the query control the meaning of the query. If the query consists of special characters then they can change the intent of the query. Prefix notions are used to create LDAP search filters. This filter notation consisting of username and password instructs the query to find an LDAP node.
If these user-controlled values are added to the search filter then there are chances that the username and password of ‘*’ change the intended meaning of the query. Other special characters can also be used to enter malicious content in the LDAP server. These characters help a hacker to easily bypass the authentication control. Multiple LDAP injection attacks can be used to exploit a vulnerable server. The LDAP server is filled with confidential information like users, roles, permissions, and many such. If this information is hacked then it can be hazardous.
Forms of LDAP Injection Attacks
There are many forms of LDAP injection attacks, let us have a look at a few of them:
- Authentication Bypass
The basic LDAP injection attacks includes bypass of password checking. For authentication directory services are in use. The example mentioned below clearly states a malicious query:
filterContent = “(&(userID=” + enteredUser + “)(password=” +
enteredPwd + “))”
The query above is a vulnerable JavaScript code assembling a simple LDAP filter. The code is assembled with the help of user inputs in the variables like enteredUser and enteredPwd
For non-malicious users the filter will appear like:
(&(userID=johndoe)(password=johnspwd))
If the combination user and password are true and are mentioned in the directory, then the user can easily log in. A hacker can insert an LDAP filter code as the user ID (marked in red) that can easily reflect the query as genuine as mentioned below:
(&(userID=*)(userID=*))(|(userID=*)(password=anything))
This easily allows a hacker to gain access without any user name or password.
- Information Disclosure
The main aim of an information disclosure attack is to gain specific system information about a website. It might include information about software distribution, version numbers, and patch levels. The information at times is accompanied by the location of backup or temporary files. Once the information is disclosed to a hacker it becomes easy to delve deep into the website and ruin other systems as well.
Blind LDAP Injection Attack
The hacker needs to know the attribute names to specify in a filter. This helps the hacker to directly query the LDAP server. Blind LDAP injection attack is an advanced exploitation technique involving sending multiple queries to the server to identify if they are valid or not. With the help of additional optimization and automation, a series of ‘yes’ and ‘no’ questions can be prepared. The answers to these questions can be answered by the server as ‘yes’ for valid queries and ‘no’ for invalid ones. An effective Blind LDAP Injection Attacks consists of several steps like:
- Attribute Discovery
- Booleanization
- Character Set Reduction
How to Prevent LDAP Injection Attacks?
LDAP Injection Vulnerability can be eliminated with the help of proper input validation and coding. Every user input query should be sanitized and encoded according to the application requirements. Encoding helps to identify those special characters who are allowed to escape safely. A ready framework or library can be used for maximum safety. They also allow escaping special characters. The mentioned below actionable methods can help one to avoid LDAP Injection Attacks:
- Enforce Input Validation
- Escape Input with Encoding
- Harden Directory Authorization
Conclusion
The following write-up includes methods to identify what is an LDAP Injection Attack and how it can be prevented. The application should always be protected from various forms of injection or attacks. Therefore, it is necessary to have a check on the security methods and keep the application protected. This helps to keep confidential information safe and secure.