LDAP Injection

python.ldap_injection

Severity

critical

Resource

Injection

Language

Python

Description

Improper neutralization of special elements used in an LDAP query ('LDAP Injection').

Rationale

LDAP Injection is a type of attack that takes advantage of insufficient input validation in LDAP queries. The attacker manipulates these queries by supplying crafted input that can alter the intended execution logic. This is particularly dangerous in systems where LDAP is used for authentication, authorization, or retrieval of sensitive information.

Consider the following vulnerable code snippet:

from ldap3 import Server, Connection, ALL

server = Server('ldap://example.com', get_info=ALL)
conn = Connection(server, 'cn=admin,dc=example,dc=com', 'password', auto_bind=True)

username = input("Enter your username: ")
search_filter = f"(uid={username})"
conn.search('dc=example,dc=com', search_filter, attributes=['cn', 'mail'])

If a user inputs something like )(|(uid=)), the constructed query becomes: (uid=)(|(uid=))

This broadens the search to return all users, effectively bypassing the intended access control.

The danger is amplified when such queries are used for authentication or authorization checks, leading to privilege escalation or unauthorized access.

Remediation

To remediate LDAP Injection vulnerabilities in software, you should employ the following best practices:

Input Validation: Rigorously verify and validate all user inputs. Ensure the input meets expected formats and does not contain any special characters, unless explicitly allowed.
Escaping and Sanitization: Use libraries or built-in functions to escape and sanitize user inputs before incorporating them into LDAP queries. You might consider using helper classes or third-party libraries that automate this process.
Parameterized LDAP Queries: Where possible, use parameterized queries or prepared statements for LDAP operations. This approach helps separate user input from command logic, reducing the risk of injection.
Least Privilege: Run LDAP queries using an account with the least privileges necessary for the operation. This limits potential exposure if an injection occurs.
Regular Security Reviews and Testing: Conduct regular security reviews and utilize SAST to identify potential injections during the development cycle, addressing them before code reaches production.

By following these steps, you can significantly reduce the risk of LDAP Injection vulnerabilities in your applications, thereby enhancing the security and integrity of your systems.

Here’s the secure version of the earlier example:

import ldap.filter
from ldap3 import Server, Connection, ALL

server = Server('ldap://example.com', get_info=ALL)
conn = Connection(server, 'cn=admin,dc=example,dc=com', 'password', auto_bind=True)

username = input("Enter your username: ")
safe_username = ldap.filter.escape_filter_chars(username)
search_filter = f"(uid={safe_username})"
conn.search('dc=example,dc=com', search_filter, attributes=['cn', 'mail'])

This escapes characters such as *, (, ), and |, preventing injection.

Additional recommendations: - Validate and constrain input using whitelisting approaches where possible. - Use least privilege principles to limit LDAP account access. - Log and monitor LDAP queries for anomalies.

Always review your SAST tool’s rule set for LDAP Injection to ensure it flags dynamic LDAP filter construction and recommends appropriate escaping and validation mechanisms.

Configuration

The detector has the following configurable parameters:

sources, that indicates the source kinds to check.
neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References

CWE-90 : Improper Neutralization of Special Elements Used in an LDAP Query ('LDAP Injection').
OWASP - Top 10 2021 Category A03 : Injection.