# LDAP Injection

**LDAP injection** is a type of *injection attack*. Injection attacks occur when maliciously crafted inputs are submitted by an attacker, causing an application to perform an unintended action. LDAP injection attacks allow an attacker to override authentication protections or manipulate data in your directory information service.

*LDAP* (Lightweight Directory Access Protocol) is a common method of querying a directory information service that contains information about users, systems and devices. The most common LDAP server is Microsoft’s Active Directory, used by Windows domain networks. Code accessing an LDAP server frequently uses parameters coming from an untrusted source to make queries against the user data.

For example: when a user attempts to log into a website, the username parameter supplied in the HTTP request may be incorporated into an LDAP query to check the user’s credentials. It is important that LDAP queries run against the directory service are constructed securely, to ensures attackers cannot inject extra statements or change the logic of an existing statement.

## LDAP Connections in Python

Consider the following Python function that connects to an LDAP server to validate a username and password:

import ldapdef validate_credentials(username, password):
ldap_query = f”(&(uid={username})(userPassword={password}))”
connection = ldap.initialize(“ldap://”)
user = connection.search_s(“dc=example,dc=com”, ldap.SCOPE_SUBTREE, ldap_query)return user.length == 1

Since the LDAP query is built through string interpolation and the inputs are not sanitized, and attacker can supply the password parameter as `*` and it will be treated as a wildcard pattern, allowing them to bypass validation. Furthermore, either parameter may contain control characters like `(` and `)` than can be injected to change the outcome of the query.

## Mitigation

To safely construct LDAP queries from untrusted data you must remove any characters that have a special meaning in the LDAP query language. The following code snippet illustrates a secure way of escaping the username and password in such a way that an attacker cannot inject control characters:

import ldap
import escape_filter_chars from ldap.filterdef validate_credentials(username, password):
safe_username = escape_filter_chars(username)
safe_password = escape_filter_chars(password)ldap_query = f”(&(uid={safe_username})(userPassword={safe_password}))”
connection = ldap.initialize(“ldap://”)
user = connection.search_s(“dc=example,dc=com”, ldap.SCOPE_SUBTREE, ldap_query)

return user.length == 1

# CWEs

* [CWE-90](https://cwe.mitre.org/data/definitions/90.html)

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.


See for yourself – run a scan on your code right now