LDAP Injection

Vulnerability Details

Severity:High

Category:Web Application

Description

The application constructs LDAP queries using unsanitized user input, allowing attackers to modify the query logic to bypass authentication or extract directory information.

Risks

An attacker could bypass authentication mechanisms, enumerate directory users and groups, access unauthorized information from the LDAP directory, or modify directory entries.

Remediation

Use parameterized LDAP queries or frameworks that handle escaping. Validate and sanitize all user input used in LDAP operations. Implement input allowlists for LDAP query parameters. Use least-privilege LDAP service accounts.

References

https://owasp.org/www-community/attacks/LDAP_Injection