{"id":63185,"date":"2022-05-18T13:44:49","date_gmt":"2022-05-18T17:44:49","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=63185"},"modified":"2022-11-01T17:52:46","modified_gmt":"2022-11-01T21:52:46","slug":"ldap-injection-explained","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/ldap-injection-explained","title":{"rendered":"What Is LDAP Injection?"},"content":{"rendered":"\n
Directories house some of an organization\u2019s most sensitive information that could be extremely dangerous in the wrong hands. LDAP injection attacks take advantage of this risk by leveraging vulnerabilities in the LDAP protocol to access, manipulate, and seize directory data, which can result in anything from spoofed authentication to ransomware attacks. <\/p>\n\n\n\n
Fortunately, there are ways to guard against LDAP injection. This article covers how LDAP injection attacks work and how to prevent them in your organization.<\/p>\n\n\n\n
It\u2019s important to understand the basics of LDAP<\/a> and how it works to fully understand LDAP injection. <\/p>\n\n\n\n LDAP (lightweight directory authentication protocol) is a protocol that facilitates directory creation, maintenance, and authentication. LDAP can perform the following main functions: <\/p>\n\n\n\n LDAP servers house LDAP directory information, which is arranged within a directory information tree according to a customizable LDAP schema. LDAP directories can store information like: <\/p>\n\n\n\n Because schemas are customizable, LDAP directories are highly flexible, and this list is not exhaustive; organizations can configure their LDAP directory to best fit their needs. <\/p>\n\n\n\n LDAP servers can be hosted on premises or in the cloud, and LDAP directories can run on free open source software, like OpenLDAP<\/a>.<\/p>\n\n\n\n LDAP can authenticate users and authorize them to applications and resources that support LDAP. It does so by comparing a user\u2019s login input with the credentials tied to their username in the LDAP directory; if they match, the user is authorized to access the desired resource.<\/p>\n\n\n\n LDAP relies heavily on queries, which is a request for information from the LDAP server. In fact, the reason LDAP is considered \u201clightweight\u201d is because it receives more read<\/em> requests (i.e., queries) than write <\/em>requests (i.e., modifications). <\/p>\n\n\n\n Queries are a critical component of the authentication and authorization process \u2014 and a frequently leveraged function in LDAP injection attacks. They are built upon LDAP search filters, which determine which information in the directory to pull and are formed in accordance with LDAP syntax. Bad actors that are skilled with LDAP syntax can inject their own code into LDAP queries and filters to manipulate the results. This is the basis of LDAP injection.<\/p>\n\n\n\n LDAP injection is a type of attack that modifies queries and commands to the LDAP server to manipulate its behavior. LDAP injection is dangerous because it compromises organization-wide directory information, granting bad actors access to critical organizational data and systems. <\/p>\n\n\n\n LDAP injection is often initiated by exploiting web applications or interfaces that don\u2019t validate LDAP input before sending it to the LDAP server. Injections are built upon queries, and they can execute the same functions as standard LDAP functions can \u2014 e.g., query, modify, and authenticate. Let\u2019s explore how hackers commonly exploit these functions in an LDAP injection attack.<\/p>\n\n\n\n Because LDAP injection is based on code, it is a flexible tactic and takes many forms. Some of the most common forms of LDAP injection include: <\/p>\n\n\n\n Both LDAP-supported applications and LDAP implementations can play a role in preventing LDAP injection. LDAP applications can prevent malicious LDAP queries from reaching the LDAP server, and LDAP instances can have policies in place that prevent malicious queries from being processed and carried out.<\/p>\n\n\n\n In addition, there are a few internal things your organization can do to minimize the likelihood of LDAP injection attacks and minimize damage, should one occur. <\/p>\n\n\n\n Certain special characters can be misused to manipulate LDAP code. The asterisk is a common example \u2014 often referred to as a wildcard operator, it can take the place of any character or string of characters. <\/p>\n\n\n\n Bad actors can use it to pull entire data lists: for example, a bad actor could use it to return all users whose usernames are [anything] with the following code:<\/p>\n\n\n\n Similarly, the ampersand in parenthesis \u2014 (&) \u2014 stops a query. Bad actors use it after the username input to bypass authentication by preventing the query from including the password. <\/p>\n\n\n\n To prevent this type of malicious injection, applications can compare LDAP inputs against a character whitelist, preventing known injections (like those listed above) from making it to the LDAP server. They can also escape these special characters and character combinations, processing them as the characters themselves and ignoring their intended function. For example, if an application escapes the asterisk character, the search:<\/p>\n\n\n\n would look for the username string \u201cJ*\u201d rather than any username that starts with J. <\/p>\n\n\n\n LDAP instances can limit the amount of data they return upon a query. This helps prevent entire lists from being pulled and misused. <\/p>\n\n\n\n An LDAP bind authenticates the user before granting them access to the LDAP server. Requiring LDAP binds and prohibiting anonymous LDAP binds both help prevent LDAP injection. <\/p>\n\n\n\n Hashing stored passwords and salting the hashes is a critical security best practice that helps protect against many attack types. In terms of preventing LDAP injection, hashing and salting passwords prevents them from being easily manipulated with special injection characters. <\/p>\n\n\n\n Assign directory access according to the principle of least privilege (PoLP)<\/a> to minimize the number of people who can issue LDAP queries to make it harder for an attacker to execute an injection. <\/p>\n\n\n\n Web applications that support LDAP should take reasonable steps to prevent injected LDAP queries from reaching your LDAP server. Validating and properly sanitizing user input is a common preventative measure applications can take. Evaluate the applications in your infrastructure using LDAP and make sure they have adequate prevention measures in place. <\/p>\n\n\n\n JumpCloud offers a cloud-based, managed LDAP<\/a> service that adheres to high security standards. For one, JumpCloud\u2019s LDAP service requires binds and prohibits anonymous binds, which help prevent LDAP injections. <\/p>\n\n\n\n It is also encrypted by LDAPS and StartTLS, OpenLDAP RFC2307 compliant, and supports multi-factor authentication (MFA<\/a>) requirements to access LDAP resources. All passwords stored in JumpCloud are one-way hashed and salted.<\/p>\n\n\n\n What\u2019s more, you don\u2019t have to set up an LDAP instance when you use JumpCloud\u2019s cloud-hosted LDAP, and all the security and management is taken care of for you. It\u2019s all of the functionality with none of the hassle \u2014 and it\u2019s free for your first 10 users and devices. Learn more about JumpCloud\u2019s cloud-based LDAP<\/a> offering.<\/p>\n","protected":false},"excerpt":{"rendered":" LDAP injection attacks can compromise your entire directory. Learn how they work, what they look like, and how to prevent them in your LDAP instance.<\/p>\n","protected":false},"author":144,"featured_media":63186,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23],"tags":[2373],"collection":[2779,2775],"platform":[],"funnel_stage":[3016],"coauthors":[2532],"acf":[],"yoast_head":"\nLDAP Servers<\/h3>\n\n\n\n
LDAP Authentication and Authorization<\/h3>\n\n\n\n
LDAP Queries<\/h3>\n\n\n\n
LDAP Injection Overview<\/strong><\/h2>\n\n\n\n
LDAP Injection Examples <\/strong><\/h2>\n\n\n\n
How Can Injection Attacks Be Prevented?<\/strong><\/h2>\n\n\n\n
LDAP Input Validation<\/h3>\n\n\n\n
(userID=*)<\/code><\/p>\n\n\n\n
(userID=J*) <\/code><\/p>\n\n\n\n
Limit Data Return <\/h3>\n\n\n\n
LDAP Binds<\/h3>\n\n\n\n
Hash Passwords<\/h3>\n\n\n\n
Least Privilege<\/h3>\n\n\n\n
Check Your Web Application Security <\/h3>\n\n\n\n
Secure Cloud-Based LDAP Through JumpCloud<\/strong><\/h2>\n\n\n\n