LDAP Injection Attack Principles and Defense

LDAP Injection Attack Principles and Defense

1. Knowledge Point Description
LDAP (Lightweight Directory Access Protocol) is a protocol used to access directory services, commonly employed for enterprise user authentication, organizational information queries, etc. LDAP injection attacks involve constructing malicious inputs to alter the logic of LDAP query statements, thereby bypassing authentication, leaking sensitive data, or damaging the directory structure. Its principle is similar to SQL injection but targets the syntax of LDAP filters.

2. LDAP Query Basics
LDAP queries typically use filter syntax, for example:

  • Authentication query: (uid=input_username)
  • Combined query: (&(uid=username)(password=password))

Special characters have logical meaning in LDAP, for example:

  • *: Wildcard
  • ( and ): Define filter groups
  • &: Logical AND
  • |: Logical OR
  • !: Logical NOT

3. Attack Principles and Examples
Scenario: During user login, the system constructs an LDAP filter to verify identity:

(&(uid=user_input_username)(password=user_input_password))

If the username is admin and the password is secret, the filter becomes:

(&(uid=admin)(password=secret))

Attack Example 1: Bypassing Authentication
The attacker inputs *)(uid=*))(|(uid=* in the username field and any password (e.g., 123), causing the filter to become:

(&(uid=*)(uid=*))(|(uid=*)(password=123))

Parsing result:

  • The original filter is split into (&(uid=*)(uid=*)) (always true) and (|(uid=*)(password=123)) (always true), making the overall condition true, thereby bypassing login.

Attack Example 2: Information Disclosure
Enumerating data using wildcard *:

  • Inputting username a* may return all user entries starting with a, allowing gradual inference of the directory structure.

4. Defense Measures
(1) Input Filtering

  • Escape special characters: Convert *, (, ), \, etc., into LDAP escape formats (e.g., \2a for *).
  • Whitelist validation: Restrict character types for fields like usernames and passwords (e.g., allow only alphanumeric characters).

(2) Principle of Least Privilege

  • Grant LDAP query accounts only necessary permissions, avoiding wildcard queries for sensitive data.

(3) Parameterized Queries

  • Use parameterized interfaces of LDAP libraries (e.g., parameter binding in Java's DirContext.search) to avoid concatenating filters.

(4) Log Monitoring

  • Record anomalous queries (e.g., repeated wildcard requests) to promptly detect attack behavior.

5. Summary
The core risk of LDAP injection lies in the lack of normalization of user input. Defense requires a combination of input validation, permission control, and secure programming practices.