LDAP Injection
Lightweight Directory Access Protocol (LDAP) is used to access directory servers (e.g., Active Directory, OpenLDAP). Web apps often integrate with LDAP for authentication and lookups. If user input is inserted into LDAP search filters without proper sanitization, LDAP Injection vulnerabilities arise.
LDAP Terminology
Directory Server (DS): stores directory data (e.g., OpenLDAP, AD DS).
Entry: object holding data with:
Distinguished Name (DN): unique identifier composed of RDNs (e.g.,
uid=admin,dc=hackthebox,dc=com).Attributes: keyβvalues (e.g.,
cn,mail,member).Object Classes: define required/allowed attributes (e.g.,
person,group).
Operations: bind (auth), unbind (close), add, delete, modify, search.
LDAP Search Filter Syntax (RFC 4515)
Filters are parenthesized components joined by boolean operators. Base form: (attribute operand value).
Base operands
Equality:
=β(name=Kaylie)Greater-or-equal:
>=β(uid>=10)Less-or-equal:
<=β(uid<=10)Approximate match:
~=β(name~=Kaylie)(implementation-dependent)
Boolean composition
AND:
&β(&(name=Kaylie)(title=Manager))OR:
|β(|(name=Kaylie)(title=Manager))NOT:
!β(!(name=Kaylie))
Notes:
AND/OR accept multiple args:
(&(...)(...)(...))Constants: True β
(&), False β(|)
Wildcards
(name=*)β attribute exists(name=K*)β starts with K(name=*a*)β containsa
Common Attribute Types (non-exhaustive)
cn(Common name),givenName,sn(surname),uidobjectClass,distinguishedName,ou(Org Unit)title,telephoneNumber,description,mail,street,postalCodemember(group membership),userPassword
For details: RFC 2256 (attribute types) and RFC 4515 (filters).
Injection Risk
Concatenating user input into filters like:
"(&(uid=" + user + ")(userPassword=" + pass + "))"enables payloads such as:
user = ")(|(uid=*))(" # widens to any uid
pass = anythingOr boolean bypass:
user = admin)(|(objectClass=*))(Mitigations are covered in the prevention note; prefer strict allow-lists and safe filter builders.
Last updated