LDAP and LDAP Injection/Prevention

Lightweight Directory Access Protocol

LDAP (Lightweight Directory Access Protocol) is a software protocol that you have to be used in colleges and startup for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.

A common use of LDAP is to provide a central place to store usernames and passwords. This allows many different applications and services to connect to the LDAP server to validate users

My college LDAP:

My college Secured LDAP

Major Operations which can be performed in this protocol

• Add : add new data in database
• Bind (authenticate) : all the authentication and encryption is done in this section
• Delete : Delete data from database
• Search and Compare : The Search operation is used to both search for and read entries.
• Modify : The MODIFY operation is used by LDAP clients to request that the LDAP server make changes to existing entries
• Unbind : close the connection.

Simple directory entry with several attributes :

 dn: cn=akash sharan, dc=example, dc=com
 objectClass: organizationalStudent
 cn: akash sharan

An LDAP uniform resource identifier (URI) scheme exists, which clients support in varying degrees, and servers return in referrals and continuation references.

LDAP URI syntax :

ldap://host:port/DN?attributes?scope?filter?extensions

ldap://ldap.example.com/cn=akash%20sharan, dc=example, dc=com

host - IP address
DN - is the distinguished name to use as the search base.
for example - cn=John Doe, dc=example, dc=com
Attributes - is a comma-separated list of attributes to retrieve.
Scope specifies the search scope and can be "base" 
(the default), "one" or "sub" classes.
Filter is a search filter.
Extensions are extensions to the LDAP URL format.

LDAP Injection

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection.

Normal Operation:

Operation with Code Injection:

LDAP injection examples:
For user search, Following code is responsible to take actions

Insert the username

The LDAP query which will be executing in backend

If the variable $userName is not validated, it could be possible to accomplish LDAP injection, as follows:

If a user puts “*” on box search, the system may return all the usernames on the LDAP base. If a user puts “akash) (| (password = * ) )”, it will generate the code below revealing akash’s password ( cn = akash ) ( | (password = * ) ).

Prevention

• Input Validation : All user-end input must be sanitized. It should be free of suspicious characters and strings that can be malicious.There are OWASP Api present which can help in defense to these vulnerability like:
  • esapi-java
  • C# AntiXSS functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool).

  I will provide you Escaping the search filter thought for above search query:

  
  

  
  
  

  public static final String escapeLDAPSearchFilter(String filter) {     // If using JDK >= 1.5 consider using StringBuilder     StringBuffer sb = new StringBuffer();         for (int i = 0; i < filter.length(); i++) {         char curChar = filter.charAt(i);         switch (curChar) {         case '\\':             sb.append("\\5c");             break;         case '*':             sb.append("\\2a");             break;         case '(':             sb.append("\\28");             break;         case ')':             sb.append("\\29");             break;         case '\u0000':             sb.append("\\00");             break;         default:             sb.append(curChar);         }     }     return sb.toString(); }

• Safe Configuration : Safeguarding of sensitive information while dealing with permissions on user objects. It is all the more important when the directory is used by application for login process.Limit and restriction should be taken while setting up ldap in an organisation.

References
https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
http://www.faqs.org/rfcs/rfc2254.html

This article is contributed by Akash Sharan. If you like neveropen and would like to contribute, you can also write an article using write.geeksforgeeks.org or mail your article to review-team@geeksforgeeks.org. See your article appearing on the neveropen main page and help other Geeks.

e comments if you find anything incorrect, or you want to share more information about the topic discussed above.