LDAP Injection Attack
Lightweight Directory Access Protocol (LDAP) is a widely used protocol for accessing information directories. LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request. The objective of this paper is to inform developers, system administrators and security professionals about various techniques that could be used to attack their applications. It also describes preventive measures for protecting applications from these intrusions.
- Building dynamic LDAP queries using untrusted input
- Untrusted input should be validated against an inclusion list before use (e.g., RegEx pattern, primitive type casting, domain constraint, etc.)
- See SpiDynamics LDAP Injection whitepaper: http://www.spidynamics.com/whitepapers/LDAPinjection.pdf