Introduction

In current time, Cyber world is passing from the bad phase; cyber attackers have put security experts and firms in a wakeful situation. Whether it is SQL attack, DDoS attack, Buffer Overflow or any well known attack, all these attacks have done a lot of damage to many organizations either by swiping customer’s data or by exploiting the system in an unlawful way. Today in this piece of information, we will know about one of the most well known LDAP (Lightweight Directory Access Protocol) attack in which an attacker may alter LDAP statements with a local proxy to carry out random commands.

Overview

Lightweight Directory Access Protocol (LDAP) maintains an open directory information service over the internet protocol. It is clear that directory services shares the information about users, systems, networks, and services and thus contributes in intranet and relevant application development. For example, such directory keeps records of corporate email directory in a hierarchy like a landline phone directory. The description language used in LDAP is ASN.1 and works as per x.500 networking standard. LDAP provides “single sign on (SSO)” which is a property of multiple access control that allows users to access all the systems without asking for login information everytime.

What is LDAP Injection?

LDAP injection is used to exploit website that builds LDAP, which manipulates the web applications that use client-supplied data in LDAP statements without first removing possible unsafe characters from the request. When a web application fails to clean user-supplied input, it allows an attacker to intercept and change the details lies in LDAP statement. An attacker can change the configuration of LDAP statement using local proxy, but the process will run normally by granting permissions to unofficial queries. This technique works similar to SQL injection attack. The reason for such exploits is the fact that security is not correctly underlined in application development.

Example of LDAP Injection

LDAP occurs when an application either is web or desktop sends user supplied data to the LDAP interpreter resides within the filter options of the statement. For example, in a company where employees do reports to their manager named James Moore; when you search for employees who report to the manager, the code will look like the following:

(Manager=Moore, James)

However, when an LDAP injection attack is done, the above code will look like the following:

... 
DirectorySearcher src = 
new DirectorySearcher("(manager=" + managerName.Text + ")");
 src.SearchRoot = de; 
src.SearchScope = SearchScope.Subtree;
 foreach(SearchResult res in src.FindAll()) {
 ...
 }

From the above script, the manager’s name can be recognized from HTML string that seems untrusted. The filter works on content base query string and user input string. If a hacker replaces the manager name in a query string then, it will show as follows:

(manager=Hacker, Wiley)(|(objectclass=*))

Preventing LDAP Injection

There are mechanisms used to avert LDAP injection attacks including advanced input validation, source code analysis, and dynamic checks. The communication sends from the client to the server includes special characters in the parameters. It is necessary to check and sanitize variables used in LDAP attack. In LDAP, user inputs must be sanitized on server-side before it passes to the LDAP interpreter. There are three common techniques, which can prevent LDAP injection attack.

Incoming Data Validation
In incoming Data validation, all client supplied data including strings and character is sanitized properly. This process should include all applications along with applications that are used for LDAP queries. It will remove all unwanted characters and will retain only characters that you want.
Outgoing Data Validation
All data returned to the user should be suitably confirmed and the amount of data delivered by the queries should be controlled as an extra layer of security. This way, you can control input and output data validation successively.
LDAP Configuration
It is necessary to keep strict control standards for LDAP directory data especially, when an application has single sign-on feature. You should restrict the user from modifying objectclass; however, allow users to change their access level. The level of application related to connection with LDAP server should be restricted so an attacker could not damage the data.

Save your Data from LDAP Injection Attack