CWE Glossary
- CWE-22: Path Traversal
- CWE-78: OS Command Injection
- CWE-79: Cross-Site Scripting
- CWE-89: SQL Injection
- CWE-90: LDAP Injection
- CWE-91: XML Injection
- CWE-94: Code Injection
- CWE-98: PHP File Inclusion
- CWE-113: HTTP Response Splitting
- CWE-119: Buffer Errors
- CWE-130: Improper Handling of Length Parameter Inconsistency
- CWE-193: Off-by-one Error
- CWE-200: Information Exposure
- CWE-211: Information Exposure Through Externally-Generated Error Message
- CWE-236: Improper Handling of Undefined Parameters
- CWE-276: Incorrect Default Permissions
- CWE-284: Improper Access Control
- CWE-285: Improper Authorization
- CWE-287: Improper Authentication
- CWE-297: Improper Validation of Certificate with Host Mismatch
- CWE-306: Missing Authentication for Critical Function
- CWE-312: Cleartext Storage of Sensitive Information
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-352: Cross-Site Request Forgery
- CWE-384: Session Fixation
- CWE-427: Uncontrolled Search Path Element
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-476: NULL Pointer Dereference
- CWE-521: Weak Password Requirements
- CWE-601: Open Redirect
- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
- CWE-613: Insufficient Session Expiration
- CWE-618: Exposed Unsafe ActiveX Method
- CWE-671: Lack of Administrator Control over Security
- CWE-798: Use of Hard-coded Credentials
- CWE-799: Improper Control of Interaction Frequency
- CWE-822: Untrusted Pointer Dereference
- CWE-835: Infinite Loop
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-942: Overly Permissive Cross-domain Whitelist
CWE is a trademark of the MITRE Corporation.
LDAP Injection [CWE-90]
LDAP Injection weakness describes improper neutralization of special elements used in LDAP queries.
Created: February 23, 2013
Latest Update: December 28, 2020
Table of Content
- Description
- Potential impact
- Attack patterns
- Affected software
- Mitigations
- Severity and CVSS Scoring
- References
Want to have an in-depth understanding of all modern aspects of LDAP Injection [CWE-90]? Read carefully this article and bookmark it to get back later, we regularly update this page.
1. Description
This weakness describes a case where software does not properly validate external input before using it to construct LDAP queries. As a result, an attacker might be able to inject and execute arbitrary LDAP commands within the directory server.
Let's assume we have a simple front-end application that performs search in Active Directory on provided login and outputs information. Our script consist of two parts: html form and PHP code:
HTML form
- <form method="post" action="">
- <p>Login: <input type="text" name="user" value=""></p>
- <p>Password: <input type="password" name="pass" value=""></p>
- <p>Search for: <input type="text" name="login"></p>
- <input type=submit name="submit" value="Enter">
- </form>
PHP script
- <?
- ...
- $username = htmlspecialchars(trim($_POST["user"]));
- $upasswd = htmlspecialchars(trim($_POST["pass"]));
- $ldapbind = ldap_bind($ds, $username, $upasswd);
- if ($ldapbind):
- $filter="(&(objectClass=user)(sAMAccountName=".htmlspecialchars($_REQUEST["login"])."))";
- if (!($search=@ldap_search($ds, $ldapconfig['basedn'], $filter))) {
- echo("Unable to search ldap server<br>");
- echo("msg:'".ldap_error($ds)."'</br>");#check the message again
- }
- else {
- $number_returned = ldap_count_entries($ds,$search);
- $info = ldap_get_entries($ds, $search);
- echo "<p>The number of entries returned is ". $number_returned."<p><pre>";
- for ($i=0; $i<$info["count"]; $i++) {
- print_r($info[$i]);
- }
- echo "</pre>";
- }
- endif;
- ?>
The script is intended to output information on user account passed to $_REQUEST["login"]
variable.
A regular LDAP query should look like:
(&(objectClass=user)(sAMAccountName=test_account))
The script however does not escape special symbols, which can be used by an attacker to abuse the functionality and perform arbitrary searches on directory server.
An attacker can modify the LDAP request and construct a new one by replacing the logon name with LDAP commands:
(&(objectClass=user)(sAMAccountName=*)(memberof=CN=Domain Admins,CN=Users,DC=testcompany,DC=local))
Once executed the script will return information on all administrative users in Active Directory.
In our scenario, this weakness can be used by attacker to access potentially sensitive information for later use in other attacks. For example, an attacker can enumerate user accounts and perform a brute-force attack or gain excessive knowledge of network infrastructure, quantity of computers and employees, etc.
2. Potential impact
Depending on the vulnerable application and its functionality, an attacker might be able to gain access to potentially sensitive information, modify or delete data and elevate privileges within the application. In a worst-case scenario this weakness could lead to full system compromise.
3. Attack patterns
Common Attack Pattern Enumeration and Classification (CAPEC) contains exploitation patterns for this weakness:
- CAPEC-136: LDAP Injection
Alternative threat classification from WASC describes this weakness as an attack technique WASC-29 (LDAP Injection).
4. Affected software
Software that uses directory server to store and access information is potentially vulnerable to this weakness. Many corporate applications use SSO functionality based on LDAP and therefore should pay extra attention to security of such software.
5. Mitigations
Protection against LDAP injections requires accurate coding and secure server configuration.
Front-end applications should perform input validation and restrict all potentially malicious symbols. Developers can use regular expressions to validate untrusted input. The following regular expression can limit the scope of potential attacks by allowing only numbers and letters:
/[^0-9a-z]/i
Perform filtration of outgoing data as additional level of security. Do not output information that is not related to application’s functionality.
Implement correct access control on data within the LDAP directory, set appropriate permissions on user objects and disable anonymous access to directory objects.
6. Severity and CVSS Scoring
LDAP injections just like any other code injection weaknesses can influence confidentiality, integrity and availability of the application. Depending on application functionality and usage of LDAP queries, an attacker might be able to read, modify, delete information stored in directory server or even elevate privileges.
In case of information disclosure for unprivileged user, this weakness should be scored as:
5.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N] – Medium severity.
In case of unauthorized data manipulation, this weakness should be scored as:
6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L] – Medium severity.
In case of authentication bypass and privilege escalation, this weakness can be scored as:
9.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] – Critical severity.
7. References
- CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') [cwe.mitre.org]
- Testing for LDAP Injection (OWASP-DV-006) [www.owasp.org]
- LDAP Injection and Mitigation [blogs.msdn.com]
- LDAP Injection: Are your web applications vulnerable? [PDF] [www.networkdls.com]
Copyright Disclaimer: Any above-mentioned content can be copied and used for non-commercial purposes only if proper credit to ImmuniWeb is given.
↑ Back to Top