LDAP Injection (CWE: 90) is an attack allowing the attacker to modify LDAP queries.
Recently, I encountered a nice LDAP Injection – and I started asking myself why do we hear so little about such vulnerabilities?
I would expect the opposite.
This attack method is less known to developers than SQL Injection and XSS, and development platforms rarely supply methods for avoiding it, so if the application at hand has LDAP access it’s not unlikely to be vulnerable to this kind of injection.
I know – many times it is hard to find this and even harder to exploit, which is why many times these vulnerabilities are left uncovered by pen-testers and code reviewers – but I think it worth the effort as successful attack may lead to a complete system compromise.
What is your best practice to avoid LDAP injections in your development platform? How do you test for the existence of it in an application?
Here’s a Java code I found that seems to be vulnerable. Is that so? How? Why/Why not?
How would you do it better?
// Assume that var1 and var3 are predefined consts,
// and var2 is assigned a value fully controllable by the user
DirContext ctx = new InitialDirContext(env)