LDAP Injection

High Web Application Scanning Plugin ID 98127

Synopsis

LDAP Injection

Description

Lightweight Directory Access Protocol (LDAP) is used by web applications to access
and maintain directory information services.

One of the most common uses for LDAP is to provide a Single-Sign-On (SSO) service
that will allow clients to authenticate with a web site without any interaction
(assuming their credentials have been validated by the SSO provider).

LDAP injection occurs when untrusted data is used by the web application to query
the LDAP directory without prior sanitisation.

This is a serious security risk, as it could allow cyber-criminals the ability
to query, modify, or remove anything from the LDAP tree. It could also allow other
advanced injection techniques that perform other more serious attacks.

Scanner was able to detect a page that is vulnerable to LDAP injection based on
known error messages.

Solution

It is recommended that untrusted data is never used to form a LDAP query.
To validate data, the application should ensure that the supplied value contains only the characters that are required to perform the required action. For example, where a username is required, then no non-alphanumeric characters should be accepted.
If this is not possible, special characters should be escaped so they are treated accordingly. The following characters should be escaped with a `\`:
* `&` * `!` * `|` * `=` * `<` * `>` * `,` * `+` * `-` * `'` * `'` * `;`
Additional character filtering must be applied to:
* `(` * `)` * `\` * `/` * `*` * `NULL`
These characters require ASCII escaping.

See Also

https://www.owasp.org/index.php/LDAP_injection

Plugin Details

Severity: High

ID: 98127

Type: remote

Family: Injection

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference Information