LDAP injection

In computer security, LDAP injection is a code injection technique used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores. LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify an LDAP statement.

Technical Implementation
LDAP injection occurs when user input is not properly sanitized and then used as part of a dynamically generated LDAP filter. This results in potential manipulation of the LDAP statements performed on the LDAP server to either view, modify, or bypass authentication credentials.

Prevention
LDAP injection is a known attack and can be prevented by simple measures. All of the client supplied input must be checked/sanitized of any characters that may result in malicious behavior. The input validation should verify the input by checking for the presence of special characters that are a part of the LDAP query language, known data types, legal values, etc. White list input validation can also be used to detect unauthorized input before it is passed to the LDAP query.

Example
In the below example a query is constructed to validate a user's credentials for the purpose of logging in.

In a typical use case, a user would provide their user credentials and this filter would be used to validate these credentials. However, an attacker can enter a crafted input for the variable  such as   and any value for password. The finished query will then become. Only the first portion of this query is processed by the LDAP server, which always evaluates to true allowing the attacker to gain access to the system without needing to provide valid user credentials.