LDAP Injection
Attack Pattern ID: 136 (Standard Attack Pattern Completeness: Stub)Typical Severity: HighStatus: Draft
+ Description

Summary

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

+ Attack Prerequisites

The target application must accept a string as user input, fail to sanitize characters that have a special meaning in LDAP queries in the user input, and insert the user-supplied string in an LDAP query which is then processed.

+ Resources Required

No special resources are required beyond the ability to provide string input to the target.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfCategoryCategory152Injection (Injecting Control Plane content through the Data Plane) 
Mechanism of Attack (primary)1000
ChildOfCategoryCategory362WASC Threat Classification 2.0 - WASC-29 - LDAP Injection 
WASC Threat Classification 2.0333
Back to top