# LDAP Injection #### **Notes on LDAP Injection and LDAP Fundamentals** **1. Introduction to LDAP Injection** * **LDAP (Lightweight Directory Access Protocol)** is used for accessing directory servers such as **Active Directory (AD)**. * Web applications integrate LDAP for **authentication** and **data retrieval**. * **LDAP Injection** occurs when unsanitized user input is inserted into LDAP queries, leading to **authentication bypass, data leakage, and privilege escalation**. *** **2. LDAP Foundations** **Key LDAP Terminology** * **Directory Server (DS):** A database-like system storing directory data (e.g., OpenLDAP). * **LDAP Entry:** The basic data unit in LDAP containing: * **Distinguished Name (DN):** Unique identifier (e.g., `uid=admin,dc=example,dc=com`). * **Attributes:** Data fields (e.g., `uid`, `cn`, `mail`). * **Object Classes:** Defines entry types (e.g., `Person`, `Group`). **LDAP Operations** * **Bind:** Authentication with the directory server. * **Unbind:** Close the client connection. * **Add:** Create a new entry. * **Delete:** Remove an entry. * **Modify:** Update an entry. * **Search:** Query directory entries. *** **3. LDAP Search Filter Syntax** * **LDAP queries use search filters** enclosed in parentheses `()`. * Filters consist of an **attribute, an operand, and a value**. **Base Operand Filters** | Name | Operand | Example | Description | | ---------------- | ------- | ---------------- | ---------------------------------- | | **Equality** | `=` | `(name=Kaylie)` | Matches `name=Kaylie` | | **Greater-Than** | `>=` | `(uid>=10)` | Matches `uid` ≥ 10 | | **Less-Than** | `<=` | `(uid<=10)` | Matches `uid` ≤ 10 | | **Approximate** | `~=` | `(name~=Kaylie)` | Matches similar values to `Kaylie` | **Logical Combination Filters** | Name | Operand | Example | Description | | ------- | ------- | --------------------------------- | ----------------------- | | **AND** | `&` | `(&(name=Kaylie)(title=Manager))` | Matches both conditions | | **OR** | \` | \` | \`( | | **NOT** | `!` | `(!(name=Kaylie))` | Excludes `name=Kaylie` | **Boolean Filters** | Name | Filter | | --------- | ------ | | **True** | `(&)` | | **False** | \`( | **Wildcard Filters** | Example | Description | | ------------ | ----------------------------------------- | | `(name=*)` | Matches all entries with `name` attribute | | `(name=K*)` | Matches names starting with `K` | | `(name=*a*)` | Matches names containing `a` | *** **4. Common LDAP Attribute Types** | Attribute Type | Description | | ------------------- | ------------------- | | `cn` | Full Name | | `givenName` | First Name | | `sn` | Last Name | | `uid` | User ID | | `objectClass` | Object Type | | `distinguishedName` | Unique Identifier | | `ou` | Organizational Unit | | `title` | Job Title | | `telephoneNumber` | Phone Number | | `mail` | Email Address | | `street` | Street Address | | `postalCode` | ZIP Code | | `member` | Group Memberships | | `userPassword` | User Password | *** #### **Key Takeaways** * LDAP is a **structured query language** for directory services. * **LDAP Injection occurs** when attackers manipulate input to change LDAP query behavior. * **Logical operands (`&`, `|`, `!`)** allow powerful filtering and are exploitable. * **Input sanitization** and **proper escaping** are crucial for preventing LDAP Injection.