LDAP Injection

Notes on LDAP Injection and LDAP Fundamentals

1. Introduction to LDAP Injection

LDAP (Lightweight Directory Access Protocol) is used for accessing directory servers such as Active Directory (AD).
Web applications integrate LDAP for authentication and data retrieval.
LDAP Injection occurs when unsanitized user input is inserted into LDAP queries, leading to authentication bypass, data leakage, and privilege escalation.

2. LDAP Foundations

Key LDAP Terminology

Directory Server (DS): A database-like system storing directory data (e.g., OpenLDAP).
LDAP Entry: The basic data unit in LDAP containing:
- Distinguished Name (DN): Unique identifier (e.g., uid=admin,dc=example,dc=com).
- Attributes: Data fields (e.g., uid, cn, mail).
- Object Classes: Defines entry types (e.g., Person, Group).

LDAP Operations

Bind: Authentication with the directory server.
Unbind: Close the client connection.
Add: Create a new entry.
Delete: Remove an entry.
Modify: Update an entry.
Search: Query directory entries.

3. LDAP Search Filter Syntax

LDAP queries use search filters enclosed in parentheses ().
Filters consist of an attribute, an operand, and a value.

Base Operand Filters

Name

Operand

Example

Description

Equality

=

(name=Kaylie)

Matches name=Kaylie

Greater-Than

>=

(uid>=10)

Matches uid ≥ 10

Less-Than

<=

(uid<=10)

Matches uid ≤ 10

Approximate

~=

(name~=Kaylie)

Matches similar values to Kaylie

Logical Combination Filters

Name

Operand

Example

Description

AND

&

(&(name=Kaylie)(title=Manager))

Matches both conditions

NOT

!

(!(name=Kaylie))

Excludes name=Kaylie

Boolean Filters

Name

Filter

True

(&)

False

Wildcard Filters

Example

Description

(name=*)

Matches all entries with name attribute

(name=K*)

Matches names starting with K

(name=*a*)

Matches names containing a

4. Common LDAP Attribute Types

Attribute Type

Description

cn

Full Name

givenName

First Name

sn

Last Name

uid

User ID

objectClass

Object Type

distinguishedName

Unique Identifier

ou

Organizational Unit

title

Job Title

telephoneNumber

Phone Number

mail

Email Address

street

Street Address

postalCode

ZIP Code

member

Group Memberships

userPassword

User Password

Key Takeaways

LDAP is a structured query language for directory services.
LDAP Injection occurs when attackers manipulate input to change LDAP query behavior.
Logical operands (&, |, !) allow powerful filtering and are exploitable.
Input sanitization and proper escaping are crucial for preventing LDAP Injection.

PreviousPayloads NextPort Swigger

Last updated 8 days ago

LDAP Injection

Notes on LDAP Injection and LDAP Fundamentals

1. Introduction to LDAP Injection

LDAP (Lightweight Directory Access Protocol) is used for accessing directory servers such as Active Directory (AD).
Web applications integrate LDAP for authentication and data retrieval.
LDAP Injection occurs when unsanitized user input is inserted into LDAP queries, leading to authentication bypass, data leakage, and privilege escalation.

2. LDAP Foundations

Key LDAP Terminology

Directory Server (DS): A database-like system storing directory data (e.g., OpenLDAP).
LDAP Entry: The basic data unit in LDAP containing:
- Distinguished Name (DN): Unique identifier (e.g., uid=admin,dc=example,dc=com).
- Attributes: Data fields (e.g., uid, cn, mail).
- Object Classes: Defines entry types (e.g., Person, Group).

LDAP Operations

Bind: Authentication with the directory server.
Unbind: Close the client connection.
Add: Create a new entry.
Delete: Remove an entry.
Modify: Update an entry.
Search: Query directory entries.

3. LDAP Search Filter Syntax

LDAP queries use search filters enclosed in parentheses ().
Filters consist of an attribute, an operand, and a value.

Base Operand Filters

Name

Operand

Example

Description

Equality

=

(name=Kaylie)

Matches name=Kaylie

Greater-Than

>=

(uid>=10)

Matches uid ≥ 10

Less-Than

<=

(uid<=10)

Matches uid ≤ 10

Approximate

~=

(name~=Kaylie)

Matches similar values to Kaylie

Logical Combination Filters

Name

Operand

Example

Description

AND

&

(&(name=Kaylie)(title=Manager))

Matches both conditions

NOT

!

(!(name=Kaylie))

Excludes name=Kaylie

Boolean Filters

Name

Filter

True

(&)

False

Wildcard Filters

Example

Description

(name=*)

Matches all entries with name attribute

(name=K*)

Matches names starting with K

(name=*a*)

Matches names containing a

4. Common LDAP Attribute Types

Attribute Type

Description

cn

Full Name

givenName

First Name

sn

Last Name

uid

User ID

objectClass

Object Type

distinguishedName

Unique Identifier

ou

Organizational Unit

title

Job Title

telephoneNumber

Phone Number

mail

Email Address

street

Street Address

postalCode

ZIP Code

member

Group Memberships

userPassword

User Password

Key Takeaways

LDAP is a structured query language for directory services.
LDAP Injection occurs when attackers manipulate input to change LDAP query behavior.
Logical operands (&, |, !) allow powerful filtering and are exploitable.
Input sanitization and proper escaping are crucial for preventing LDAP Injection.

PreviousPayloads NextPort Swigger

Last updated 8 days ago