The Lightweight Directory Access Protocol (LDAP) allows an application to remotely perform operations such as searching and modifying records existing in directories. LDAP injection results from inadequate input sanitization and validation and allows malicious users to glean restricted information using the directory service. Depending on the specific vulnerability, privilege escalation is also possible.
A white-list is typically can be used to validate untrusted inputrestrict input to a list of valid characters. The list of characters that must not be allowed in a white-list include JNDI meta-characters and LDAP special characters. They are tabulated below:
Character | Name |
|---|---|
' and " | Single and double quote |
/ and \ | Forward-slash and back-slash |
\ \ | Double slashes* |
space | Space character at beginning or end of string |
# | Hash character at the beginning of the string |
< and > | Angle brackets |
, and ; | Comma and semi-colon |
+ and * | Addition and multiplication operators |
( and ) | Round braces |
\u0000 | Unicode NULL character |
- This is a character sequence
Noncompliant Code Example
For the purpose of this example, consider an LDAP Data Interchange Format (LDIF) file that contains records in the following format:
...