Corgea LogoCorgea Security Hub

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

Learn about CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')), its security impact, exploitation methods, and prevention guidelines.

What is Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')?

• Overview: LDAP Injection occurs when an application constructs LDAP queries based on user input without properly sanitizing or escaping special characters. This allows attackers to manipulate the query, potentially gaining unauthorized access or altering data.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by injecting special characters and LDAP operators into input fields that are used in LDAP queries.
  • Common attack patterns include injecting logical operators like &, |, *, or modifying query filters to bypass authentication or escalate privileges.

• Security Impact:

  • Direct consequences of successful exploitation can include unauthorized access to sensitive information, data modification, or bypassing authentication mechanisms.
  • Potential cascading effects involve compromised integrity and confidentiality of the LDAP directory and related systems.
  • Business impact could include data breaches, loss of customer trust, legal penalties, and financial losses.

• Prevention Guidelines:

  • Specific code-level fixes include using parameterized queries or prepared statements to separate logic from data.
  • Security best practices involve validating and sanitizing all user inputs, escaping special characters, and implementing least privilege principles.
  • Recommended tools and frameworks include using LDAP-specific libraries or APIs that automatically handle input sanitization and escaping, such as those provided in enterprise-level frameworks.
Corgea can automatically detect and fix Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Database Server

Vulnerable Code Example

import ldap

def search_user(username):
    # Vulnerable code: Directly inserting user input into the LDAP query
    ldap_connection = ldap.initialize('ldap://localhost')
    query = f"(uid={username})"  # Directly using user input without sanitization
    result = ldap_connection.search_s('ou=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, query)
    return result

Explanation of the Vulnerability

In the above code, the username input is directly concatenated into the LDAP query string without any form of input validation or neutralization, creating a potential LDAP injection vulnerability. An attacker could inject special characters into the username that modify the query logic, potentially allowing unauthorized access to LDAP data. For example, a malicious input like *)(|(uid=*)) could manipulate the LDAP query to return all users.

How to fix Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')?

To fix LDAP injection vulnerabilities, the following best practices should be employed:

  1. Input Validation and Sanitization: Always validate and sanitize user inputs to ensure they conform to expected formats. Use whitelisting approaches where possible.
  2. Parameterized Queries: Utilize libraries or methods that support parameterized queries, which automatically handle input escaping.
  3. Escape Special Characters: When direct parameterization is not possible, ensure all user input is properly escaped to neutralize special characters used in LDAP query syntax.

Fixed Code Example

import ldap
from ldap.filter import escape_filter_chars  # Import function to escape LDAP special chars

def search_user(username):
    # Fixed code: Properly escaping user input to prevent LDAP injection
    ldap_connection = ldap.initialize('ldap://localhost')
    safe_username = escape_filter_chars(username)  # Escape special characters in input
    query = f"(uid={safe_username})"  # Use the sanitized input in the query
    result = ldap_connection.search_s('ou=users,dc=example,dc=com', ldap.SCOPE_SUBTREE, query)
    return result

Explanation of the Fix

In the fixed code, the escape_filter_chars function is used to escape any special characters in the username input that could be used to manipulate the query. This ensures that the input is treated strictly as data rather than code, effectively preventing LDAP injection attacks. By escaping special characters, we neutralize any potentially harmful input, ensuring the query executes as intended without unauthorized access.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') and get remediation guidance

Start for free and no credit card needed.