Click here to Skip to main content
Click here to Skip to main content

Save your Data from LDAP Injection Attack

, 9 Jul 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
Lightweight Directory Access Protocol (LDAP) Injection

Introduction

In current time, Cyber world is passing from the bad phase; cyber attackers have put security experts and firms in a wakeful situation. Whether it is SQL attack, DDoS attack, Buffer Overflow or any well known attack, all these attacks have done a lot of damage to many organizations either by swiping customer’s data or by exploiting the system in an unlawful way. Today in this piece of information, we will know about one of the most well known LDAP (Lightweight Directory Access Protocol) attack in which an attacker may alter LDAP statements with a local proxy to carry out random commands.

Overview

Lightweight Directory Access Protocol (LDAP) maintains an open directory information service over the internet protocol. It is clear that directory services shares the information about users, systems, networks, and services and thus contributes in intranet and relevant application development. For example, such directory keeps records of corporate email directory in a hierarchy like a landline phone directory. The description language used in LDAP is ASN.1 and works as per x.500 networking standard. LDAP provides “single sign on (SSO)” which is a property of multiple access control that allows users to access all the systems without asking for login information everytime.

What is LDAP Injection?

LDAP injection is used to exploit website that builds LDAP, which manipulates the web applications that use client-supplied data in LDAP statements without first removing possible unsafe characters from the request. When a web application fails to clean user-supplied input, it allows an attacker to intercept and change the details lies in LDAP statement. An attacker can change the configuration of LDAP statement using local proxy, but the process will run normally by granting permissions to unofficial queries. This technique works similar to SQL injection attack. The reason for such exploits is the fact that security is not correctly underlined in application development.

Example of LDAP Injection

LDAP occurs when an application either is web or desktop sends user supplied data to the LDAP interpreter resides within the filter options of the statement. For example, in a company where employees do reports to their manager named James Moore; when you search for employees who report to the manager, the code will look like the following:

(Manager=Moore, James)

However, when an LDAP injection attack is done, the above code will look like the following:

... 
DirectorySearcher src = 
new DirectorySearcher("(manager=" + managerName.Text + ")");
 src.SearchRoot = de; 
src.SearchScope = SearchScope.Subtree;
 foreach(SearchResult res in src.FindAll()) {
 ...
 }

From the above script, the manager’s name can be recognized from HTML string that seems untrusted. The filter works on content base query string and user input string. If a hacker replaces the manager name in a query string then, it will show as follows:

(manager=Hacker, Wiley)(|(objectclass=*))

Preventing LDAP Injection

There are mechanisms used to avert LDAP injection attacks including advanced input validation, source code analysis, and dynamic checks. The communication sends from the client to the server includes special characters in the parameters. It is necessary to check and sanitize variables used in LDAP attack. In LDAP, user inputs must be sanitized on server-side before it passes to the LDAP interpreter. There are three common techniques, which can prevent LDAP injection attack.

  • Incoming Data Validation

    In incoming Data validation, all client supplied data including strings and character is sanitized properly. This process should include all applications along with applications that are used for LDAP queries. It will remove all unwanted characters and will retain only characters that you want.

  • Outgoing Data Validation

    All data returned to the user should be suitably confirmed and the amount of data delivered by the queries should be controlled as an extra layer of security. This way, you can control input and output data validation successively.

  • LDAP Configuration

    It is necessary to keep strict control standards for LDAP directory data especially, when an application has single sign-on feature. You should restrict the user from modifying objectclass; however, allow users to change their access level. The level of application related to connection with LDAP server should be restricted so an attacker could not damage the data.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Jason Parms
Technical Lead SSL2BUY Inc.
United States United States
Jason Parms is customer service manager at SSL2BUY Inc. His key responsibility is maintaining customer happiness by providing help desk resources and technical guidance, resolution for customer troubles, detecting and diagnosing network problems and managing staff. As a part of online security industry, He is always update knowledge by contributing in cyber security events, reading information security publications, maintaining personal networks, examine information and applications, participate in security surveys.
 
Official Website:- https://www.ssl2buy.com
Follow on   Twitter   Google+   LinkedIn

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.1411023.1 | Last Updated 9 Jul 2014
Article Copyright 2014 by Jason Parms
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid