Directories house some of an organization’s most sensitive information that could be extremely dangerous in the wrong hands. LDAP injection attacks take advantage of this risk by leveraging vulnerabilities in the LDAP protocol to access, manipulate, and seize directory data, which can result in anything from spoofed authentication to ransomware attacks.
Fortunately, there are ways to guard against LDAP injection. This article covers how LDAP injection attacks work and how to prevent them in your organization.
LDAP Servers, Authentication, and Authorization
It’s important to understand the basics of LDAP and how it works to fully understand LDAP injection.
LDAP (lightweight directory authentication protocol) is a protocol that facilitates directory creation, maintenance, and authentication. LDAP can perform the following main functions:
- Modify (add, delete, or change).
LDAP servers house LDAP directory information, which is arranged within a directory information tree according to a customizable LDAP schema. LDAP directories can store information like:
- Systems and equipment.
- Attributes (of users and equipment, for example).
- Group membership privileges.
Because schemas are customizable, LDAP directories are highly flexible, and this list is not exhaustive; organizations can configure their LDAP directory to best fit their needs.
LDAP servers can be hosted on premises or in the cloud, and LDAP directories can run on free open source software, like OpenLDAP.
LDAP Authentication and Authorization
LDAP can authenticate users and authorize them to applications and resources that support LDAP. It does so by comparing a user’s login input with the credentials tied to their username in the LDAP directory; if they match, the user is authorized to access the desired resource.
LDAP relies heavily on queries, which is a request for information from the LDAP server. In fact, the reason LDAP is considered “lightweight” is because it receives more read requests (i.e., queries) than write requests (i.e., modifications).
Queries are a critical component of the authentication and authorization process — and a frequently leveraged function in LDAP injection attacks. They are built upon LDAP search filters, which determine which information in the directory to pull and are formed in accordance with LDAP syntax. Bad actors that are skilled with LDAP syntax can inject their own code into LDAP queries and filters to manipulate the results. This is the basis of LDAP injection.
LDAP Injection Overview
LDAP injection is a type of attack that modifies queries and commands to the LDAP server to manipulate its behavior. LDAP injection is dangerous because it compromises organization-wide directory information, granting bad actors access to critical organizational data and systems.
LDAP injection is often initiated by exploiting web applications or interfaces that don’t validate LDAP input before sending it to the LDAP server. Injections are built upon queries, and they can execute the same functions as standard LDAP functions can — e.g., query, modify, and authenticate. Let’s explore how hackers commonly exploit these functions in an LDAP injection attack.
LDAP Injection Examples
Because LDAP injection is based on code, it is a flexible tactic and takes many forms. Some of the most common forms of LDAP injection include:
- Return a list of private data. An LDAP query can pull lists of directory information — including information that should be private. Bad actors commonly use this function to pull and compromise company and employee data.
- Bypass authentication. When requesting LDAP authentication from the server, a bad actor can inject code that ends the query after the username so that the password input doesn’t matter. This guarantees successful authentication without a password.
- Modify the directory. Modifications include additions, changes, and deletions. For example, a hacker could use a query to pull a list of critical data and then modify the directory by deleting that data from the directory, holding it for ransom in a ransomware attack.
How Can Injection Attacks Be Prevented?
Both LDAP-supported applications and LDAP implementations can play a role in preventing LDAP injection. LDAP applications can prevent malicious LDAP queries from reaching the LDAP server, and LDAP instances can have policies in place that prevent malicious queries from being processed and carried out.
In addition, there are a few internal things your organization can do to minimize the likelihood of LDAP injection attacks and minimize damage, should one occur.
LDAP Input Validation
Certain special characters can be misused to manipulate LDAP code. The asterisk is a common example — often referred to as a wildcard operator, it can take the place of any character or string of characters.
Bad actors can use it to pull entire data lists: for example, a bad actor could use it to return all users whose usernames are [anything] with the following code:
Similarly, the ampersand in parenthesis — (&) — stops a query. Bad actors use it after the username input to bypass authentication by preventing the query from including the password.
To prevent this type of malicious injection, applications can compare LDAP inputs against a character whitelist, preventing known injections (like those listed above) from making it to the LDAP server. They can also escape these special characters and character combinations, processing them as the characters themselves and ignoring their intended function. For example, if an application escapes the asterisk character, the search:
would look for the username string “J*” rather than any username that starts with J.
Limit Data Return
LDAP instances can limit the amount of data they return upon a query. This helps prevent entire lists from being pulled and misused.
An LDAP bind authenticates the user before granting them access to the LDAP server. Requiring LDAP binds and prohibiting anonymous LDAP binds both help prevent LDAP injection.
Hashing stored passwords and salting the hashes is a critical security best practice that helps protect against many attack types. In terms of preventing LDAP injection, hashing and salting passwords prevents them from being easily manipulated with special injection characters.
Assign directory access according to the principle of least privilege (PoLP) to minimize the number of people who can issue LDAP queries to make it harder for an attacker to execute an injection.
Check Your Web Application Security
Web applications that support LDAP should take reasonable steps to prevent injected LDAP queries from reaching your LDAP server. Validating and properly sanitizing user input is a common preventative measure applications can take. Evaluate the applications in your infrastructure using LDAP and make sure they have adequate prevention measures in place.
Secure Cloud-Based LDAP Through JumpCloud
JumpCloud offers a cloud-based, managed LDAP service that adheres to high security standards. For one, JumpCloud’s LDAP service requires binds and prohibits anonymous binds, which help prevent LDAP injections.
It is also encrypted by LDAPS and StartTLS, OpenLDAP RFC2307 compliant, and supports multi-factor authentication (MFA) requirements to access LDAP resources. All passwords stored in JumpCloud are one-way hashed and salted.
What’s more, you don’t have to set up an LDAP instance when you use JumpCloud’s cloud-hosted LDAP, and all the security and management is taken care of for you. It’s all of the functionality with none of the hassle — and it’s free for your first 10 users and devices. Learn more about JumpCloud’s cloud-based LDAP offering.