LDAP injection is an attack that exploits web applications constructing Lightweight Directory Access Protocol (LDAP) queries from unsanitized user input. By injecting special LDAP characters and filter syntax, an attacker can modify the query logic to bypass authentication, extract directory data, or escalate privileges.
How It Works
LDAP directories store organizational data such as user accounts, groups, email addresses, and access permissions. Applications query these directories using LDAP search filters, which follow a specific syntax with operators like & (AND), | (OR), and * (wildcard).
When an application builds an LDAP filter by concatenating user input directly into the query string, an attacker can inject filter syntax to alter the query's behavior. For example, a login form that constructs the filter (&(uid=INPUT)(password=INPUT)) can be exploited by entering *)(|(& as the username, breaking out of the intended filter structure and potentially bypassing authentication.
Consider a user lookup function that builds the query (uid=USER_INPUT). If an attacker provides *)(objectClass=*), the resulting filter becomes (uid=*)(objectClass=*), which matches all entries in the directory. This can expose the entire directory contents, including service accounts, administrative users, and sensitive attributes.
LDAP injection can also modify the scope of queries. By injecting additional filter conditions, attackers can force the query to return entries from different parts of the directory tree, access attributes not intended for disclosure, or bypass access control filters that the application applies at the LDAP query level.
Prevention
Input validation should reject LDAP special characters including (, ), *, \, and null bytes. Parameterized LDAP queries — the equivalent of prepared statements in SQL — prevent injection by separating the filter structure from the data. Applying the principle of least privilege to the LDAP bind account limits the damage from a successful injection, since the account can only access what it has been granted.
Why It Matters
Organizations that rely on LDAP for authentication and authorization expose critical infrastructure when injection flaws exist. A successful attack can grant unauthorized access to every account in the directory, making LDAP injection a high-impact vulnerability that often leads to complete environment compromise.
Need your application tested? Get in touch.