LDAP Injection
What is LDAP Injection?
LDAP InjectionAn injection attack that manipulates LDAP search filters or DNs through unsanitized input to bypass authentication or read directory data.
LDAP injection targets applications that build LDAP queries by concatenating user input into search filters or distinguished names. By inserting LDAP metacharacters such as , (, ), |, &, or NUL, an attacker can rewrite a filter (for example turning (uid=$user) into (uid=)) to authenticate as another principal, enumerate users, or read sensitive attributes. Defences include parameterized LDAP libraries, strict input validation that allow-lists characters permitted in usernames and DNs, RFC 4515 filter escaping, binding queries to least-privileged service accounts, and restricting the directory attributes any given application can return.
● Examples
- 01
An authentication form that constructs (&(uid=$user)(userPassword=$pass)) accepts *)(uid=* as the username and logs the attacker in as the first match.
- 02
A people-search page where a wildcard filter dumps every employee record from the directory.
● Frequently asked questions
What is LDAP Injection?
An injection attack that manipulates LDAP search filters or DNs through unsanitized input to bypass authentication or read directory data. It belongs to the Attacks & Threats category of cybersecurity.
What does LDAP Injection mean?
An injection attack that manipulates LDAP search filters or DNs through unsanitized input to bypass authentication or read directory data.
How do you defend against LDAP Injection?
Defences for LDAP Injection typically combine technical controls and operational practices, as detailed in the full definition above.