LDAP Injection

Notes on LDAP Injection and LDAP Fundamentals

1. Introduction to LDAP Injection

  • LDAP (Lightweight Directory Access Protocol) is used for accessing directory servers such as Active Directory (AD).

  • Web applications integrate LDAP for authentication and data retrieval.

  • LDAP Injection occurs when unsanitized user input is inserted into LDAP queries, leading to authentication bypass, data leakage, and privilege escalation.


2. LDAP Foundations

Key LDAP Terminology

  • Directory Server (DS): A database-like system storing directory data (e.g., OpenLDAP).

  • LDAP Entry: The basic data unit in LDAP containing:

    • Distinguished Name (DN): Unique identifier (e.g., uid=admin,dc=example,dc=com).

    • Attributes: Data fields (e.g., uid, cn, mail).

    • Object Classes: Defines entry types (e.g., Person, Group).

LDAP Operations

  • Bind: Authentication with the directory server.

  • Unbind: Close the client connection.

  • Add: Create a new entry.

  • Delete: Remove an entry.

  • Modify: Update an entry.

  • Search: Query directory entries.


3. LDAP Search Filter Syntax

  • LDAP queries use search filters enclosed in parentheses ().

  • Filters consist of an attribute, an operand, and a value.

Base Operand Filters

Name
Operand
Example
Description

Equality

=

(name=Kaylie)

Matches name=Kaylie

Greater-Than

>=

(uid>=10)

Matches uid ≥ 10

Less-Than

<=

(uid<=10)

Matches uid ≤ 10

Approximate

~=

(name~=Kaylie)

Matches similar values to Kaylie

Logical Combination Filters

Name
Operand
Example
Description

AND

&

(&(name=Kaylie)(title=Manager))

Matches both conditions

OR

`

`

`(

NOT

!

(!(name=Kaylie))

Excludes name=Kaylie

Boolean Filters

Name
Filter

True

(&)

False

`(

Wildcard Filters

Example
Description

(name=*)

Matches all entries with name attribute

(name=K*)

Matches names starting with K

(name=*a*)

Matches names containing a


4. Common LDAP Attribute Types

Attribute Type
Description

cn

Full Name

givenName

First Name

sn

Last Name

uid

User ID

objectClass

Object Type

distinguishedName

Unique Identifier

ou

Organizational Unit

title

Job Title

telephoneNumber

Phone Number

mail

Email Address

street

Street Address

postalCode

ZIP Code

member

Group Memberships

userPassword

User Password


Key Takeaways

  • LDAP is a structured query language for directory services.

  • LDAP Injection occurs when attackers manipulate input to change LDAP query behavior.

  • Logical operands (&, |, !) allow powerful filtering and are exploitable.

  • Input sanitization and proper escaping are crucial for preventing LDAP Injection.

Last updated