LDAP Injection

LDAP Injection is a vulnerability where user input is incorporated into LDAP (Lightweight Directory Access Protocol) queries without proper sanitization, allowing attackers to modify query logic to bypass authentication or access unauthorized data.

How It Works

LDAP is commonly used for authentication and directory lookups. When applications build LDAP queries using unvalidated user input, attackers can inject LDAP filter syntax to manipulate the query behavior.

Vulnerable Code Example

// Vulnerable LDAP authentication
String filter = "(&(uid=" + username + ")(userPassword=" + password + "))";
NamingEnumeration<SearchResult> results = ctx.search(base, filter, controls);

// Normal query:
// (&(uid=john)(userPassword=secret))

// Injected query:
// Username: john)(&))
// (&(uid=john)(&))(userPassword=anything))

Common Payloads

# Authentication bypass
Username: *
Password: anything
Query: (&(uid=*)(userPassword=anything))
# Returns all users

# OR injection
Username: john)(|(uid=*
Query: (&(uid=john)(|(uid=*)(userPassword=anything)))
# Always true

# Wildcard enumeration
Username: a*
# Find all users starting with 'a'

Impact

• Authentication bypass
• Information disclosure from directory
• Privilege escalation
• User enumeration

Special Characters

( ) * \ / NUL - Must be escaped in user input

See Also

• SQL Injection
• XPath Injection