Lightweight Directory Access Protocol (LDAP) is an open and vendor-neutral directory service protocol that runs on a layer above the TCP/IP stack. It provides the appropriate mechanism for accessing and modifying data directories, things that are commonly used today while developing intranet and internet (web) applications.
LDAP servers store information that is accessed by clients using LDAP sessions (usually with pre-defined time-outs). The most basic actions that are taken once the session is initiated are the adding, deleting and modifying of entries. Other operations that are frequently executed include:
As evident in the diagram above, LDAP injections are basically crafted queries. Under normal circumstances, normal queries to the LDAP server lead to normal output. But when the malicious attacker sends LDAP statements along with code injections, additional private and sensitive information can be stolen from the LDAP servers.
Advanced LDAP injections can also allow the attacker to enable the execution of arbitrary commands to gain unauthorized permissions and even modify information within the LDAP tree. Besides these common instances, many techniques used in the SQL injection can be implemented also in the LDAP injection.
In a page with a user search form, the following code is responsible to process user input value and generate a LDAP query that will be used in LDAP database.
<input type="text" size=20 name="userName">Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this function might be the following:
String ldapSearchQuery = "(cn=" + $userName + ")"; System.out.println(ldapSearchQuery);
If the variable $userName is not validated, it could be possible to accomplish LDAP injection, as follows:
If a user puts “*” on box search, the system may return all the usernames on the LDAP base. If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys ) ( | (password = * ) ).
LDAP flaws are basically application-layer vulnerabilities. This means that conventional security provisions like firewalls and intrusion detention tools are not effective in detecting LDAP injections. While minimum exposure points and “minimum privilege” principles are helpful, the real solutions to these issues include:
CxSAST locates LDAP injection vulnerabilities by following all user input that is used as part of an LDAP command and warns if the input has not been validated or checked.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.