LDAP Injection
ID |
go.ldap_injection |
Severity |
critical |
Resource |
Injection |
Language |
Go |
Tags |
CWE:90, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1 |
Rationale
LDAP Injection is a type of attack that takes advantage of insufficient input validation in LDAP queries. The attacker manipulates these queries by supplying crafted input that can alter the intended execution logic. This is particularly dangerous in systems where LDAP is used for authentication, authorization, or retrieval of sensitive information.
For example, consider the following Golang code that searches for a user in an LDAP directory:
package ldap_injection
import (
"fmt"
"log"
"net/http"
ldap "github.com/go-ldap/ldap/v3"
)
func handleLdapRequest(r *http.Request) {
// Extract the query parameter
userParam := r.URL.Query().Get("example")
// Establish a connection to the LDAP server
connection, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", "ldap.example.com", 389))
if err != nil {
log.Fatal(err)
}
defer connection.Close()
// Prepare the controls for binding
customControls := []ldap.Control{ldap.NewControlBeheraPasswordPolicy()}
// Create the bind request
bindDN := fmt.Sprintf("cn=admin,dc=%s,dc=com", userParam)
bindRequest := ldap.NewSimpleBindRequest(bindDN, "password", customControls)
// Execute the bind operation
result, err := connection.SimpleBind(bindRequest) // FLAW
if err != nil {
log.Println("Bind error:", err)
return
}
log.Println("Bind result:", result)
}In this case, if userParam is not properly validated, an attacker could provide input like )(|(uid=, turning the query into:
(uid=*)(|(uid=*)This effectively broadens the search filter beyond the intended scope, potentially exposing all entries in the directory.
Remediation
To remediate LDAP Injection vulnerabilities in software, you should employ the following best practices:
-
Input Validation: Rigorously verify and validate all user inputs. Ensure the input meets expected formats and does not contain any special characters, unless explicitly allowed.
-
Escaping and Sanitization: Use libraries or built-in functions to escape and sanitize user inputs before incorporating them into LDAP queries. You might consider using helper classes or third-party libraries that automate this process.
-
Parameterized LDAP Queries: Where possible, use parameterized queries or prepared statements for LDAP operations. This approach helps separate user input from command logic, reducing the risk of injection.
-
Least Privilege: Run LDAP queries using an account with the least privileges necessary for the operation. This limits potential exposure if an injection occurs.
-
Regular Security Reviews and Testing: Conduct regular security reviews and utilize SAST to identify potential injections during the development cycle, addressing them before code reaches production.
By following these steps, you can significantly reduce the risk of LDAP Injection vulnerabilities in your applications, thereby enhancing the security and integrity of your systems.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-90 : Improper Neutralization of Special Elements Used in an LDAP Query ('LDAP Injection').
-
OWASP - Top 10 2021 Category A03 : Injection.