LDAP Injection is a vulnerability that affects web applications. It can be exploited by sending requests that are not properly analyzed and revised by the web application due to the vulnerability. An attacker can then modify LDAP statements using a proxy. This grants the attacker permissions needed to perform commands using the database server, web server and web app server. This can allow the attacker to access, modify or delete data contained within the LDAP tree.
How LDAP Injection affects company networks
Since the exploit is based on permissions, the level of harm a successful exploit can cause is largely based on exactly what permissions are hijacked. If the permissions allow the attacker to access and edit the data, he can simply read, copy, steal, rewrite, revise or just delete it. This can result in the complete loss of data, which typically results in large amounts of lost time and money for the company.
How to prevent LDAP Injection attacks
Data validation is the key to preventing LDAP Injections. All incoming data requests must be stripped of any unnecessary characters or strings of characters that can be used to maliciously exploit this vulnerability. Filters can be set up to allow only specific characters that are needed for valid requests. If possible, your filter should be set to only numbers. Letters and special characters can be added if necessary, but only after making sure that they are filtered specifically. Converting them to HTML substitutes is also a good and secure option.
Checkmarx uses a software-as-a-service (SaaS) testing process to analyze software code for LDAP Injection. This process is completely cloud-based, something that is cost-efficient and time-efficient for companies. There is no complex hardware or software installation and all testing is performed directly from the cloud. There is no hardware to purchase and the process is completely automated, so there is no training for company staff members. A Software Development Life Cycle (SDLC) provides the outline for developers to develop applications effectively and securely. While the phases of SDLCs vary depending on the type, size and complexity of the software, there are typically five fixes steps: analysis, design, coding, testing and deployment.
Checkmarx incorporates static and dynamic testing while looking for LDAP Injection vulnerabilities. Static testing is a process that is executed while the application is dormant. Penetration testing (pen tests) and vulnerability scans ensure that there are no LDAP Injection vulnerabilities, malicious code or other threats in the software code. Once the static testing is completed, dynamic testing process is performed. The dynamic testing process is typically performed while the application is running. This testing process scans for LDAP Injection vulnerabilities, malicious code, XSS vulnerabilities, SQL injection vulnerabilities and other potential exploits. For companies to have the most effective application security, both static and dynamic testing should be implemented into the SDLC testing phase.
See LDAP Injection Cheat Sheet, Attack Examples & Protection in Vulnerability Knowledge Base.