LDAP Injection
detect, understand, remediate
LDAP injection manipulates directory service queries by injecting special characters into unsanitised input, allowing attackers to bypass authentication, enumerate users, or extract directory data.
No credit card required. Free plan available forever.
What is LDAP injection?
LDAP injection (CWE-90) is a code injection attack that exploits web applications which construct Lightweight Directory Access Protocol (LDAP) queries from unsanitized user input. When an application passes user-supplied data directly into an LDAP search filter or distinguished name (DN) without proper escaping, attackers can manipulate the query logic to bypass authentication, enumerate directory entries, or extract sensitive information from the directory service.
LDAP directories are foundational to enterprise infrastructure, storing user accounts, group memberships, organizational hierarchies, and access control configurations. Services like Microsoft Active Directory, OpenLDAP, and Apache Directory Server power authentication and authorization across corporate networks. An LDAP injection vulnerability effectively gives an attacker the ability to query and manipulate this central identity store, making it one of the most impactful injection attacks in enterprise environments. The vulnerability shares conceptual similarities with SQL injection, as both exploit unvalidated input in query construction.
LDAP injection attacks are particularly dangerous because they can lead to complete authentication bypass. By injecting filter metacharacters such as asterisks, parentheses, and boolean operators, an attacker can alter the search filter to always return true, effectively logging in as any user without knowing their password. In organizations that rely on LDAP for single sign-on, a single injection point can compromise access to every connected application and service.
How it works
Identify LDAP-backed authentication
The attacker identifies login forms, user search features, or directory lookup endpoints that use LDAP as the backend, often indicated by Active Directory integration or corporate SSO systems.
Inject LDAP filter metacharacters
Special characters are injected into input fields: asterisks (*) for wildcard matching, parentheses for grouping, pipe (|) for OR logic, and ampersand (&) for AND logic, to manipulate the constructed LDAP filter.
Modify query logic
The injected characters alter the LDAP filter structure. For example, entering user=*)(&(password=* transforms (&(user=INPUT)(password=INPUT)) into a filter that matches any user regardless of the password provided.
Bypass authentication or enumerate directory
The modified filter returns results the attacker should not have access to, enabling login as an arbitrary user, extraction of user lists and email addresses, or discovery of group memberships and organizational structure.
Common causes
String concatenation in LDAP filters
Building LDAP search filters by directly concatenating user input into filter strings without escaping special characters. For example, constructing "(&(uid=" + username + ")(password=" + password + "))" with raw input.
Missing input sanitization
Failing to escape LDAP-specific metacharacters (*, (, ), \, NUL) from user input before incorporating it into filter expressions or distinguished names, allowing query manipulation.
Direct user input in search bases
Using user-supplied values to construct the search base DN (e.g., ou=INPUT,dc=company,dc=com) without validation, allowing attackers to traverse or modify the directory search scope.
Unvalidated DN construction
Building distinguished names from user input without proper escaping of DN-special characters (commas, plus signs, equals signs, angle brackets), enabling attackers to modify the target entry or search scope.
How to detect it
Automated detection
- SecPortal's code scanning identifies LDAP query construction patterns in source code, flagging string concatenation with user input in filter builders and DN constructors
- Automated metacharacter injection testing sends LDAP-specific payloads (*, )(, |, &) to login and search endpoints, analyzing responses for error messages or behavioral changes that indicate filter manipulation
- Error message analysis detects verbose LDAP error responses that reveal filter syntax, directory structure, or backend configuration details useful for further exploitation
Manual testing
- Enter LDAP wildcard characters (*) in username and password fields and observe if the application authenticates successfully or returns different error messages for valid versus invalid usernames
- Inject closing parentheses and boolean operators to break out of the intended filter structure, such as "admin)(&" or "*)(uid=*))(|(uid=*", to test for filter manipulation
- Test user search or directory lookup features with wildcard patterns (a*, ab*, abc*) to enumerate valid entries by observing differences in response content, timing, or result counts
How to fix it
Use parameterized LDAP queries
Use LDAP libraries that support parameterized or prepared filter construction, where user input is treated as a literal value rather than part of the filter syntax. Most modern LDAP SDKs provide filter builder APIs that handle escaping automatically.
Validate and escape all input
Apply LDAP-specific escaping to all user input before including it in search filters or distinguished names. Escape characters including *, (, ), \, NUL, /, and any other characters with special meaning in LDAP filter or DN syntax.
Use least-privilege LDAP binds
Configure the application's LDAP service account with the minimum permissions required. Restrict it to read-only access on specific organizational units, preventing attackers from modifying directory entries even if injection is successful.
Implement network segmentation
Place LDAP servers on isolated network segments accessible only from authorized application servers. Use firewalls to restrict LDAP port access (389, 636) and prevent direct attacker interaction with the directory service.
Enable comprehensive audit logging
Configure LDAP servers to log all search queries, bind attempts, and modifications with full filter details. Monitor for unusual patterns such as wildcard-heavy filters, authentication anomalies, or queries from unexpected source IPs.
Compliance impact
Related vulnerabilities
Detect LDAP injection flaws
SecPortal's code scanner identifies unsafe LDAP filter construction and missing input sanitisation in directory queries. Start free.
No credit card required. Free plan available forever.