LDAP Injection occurs when an application constructs LDAP queries using unsanitized user input, allowing an attacker to alter the query logic and bypass…
LDAP Injection occurs when an application constructs LDAP queries using unsanitized user input, allowing an attacker to alter the query logic and bypass authentication, extract unauthorized data, or modify directory information. Like SQL injection, it exploits the failure to distinguish between query structure and data, but targets LDAP directory services instead of databases.
02How It Happens
LDAP (Lightweight Directory Protocol) queries use a filter syntax with special characters—such as *, (, ), &, |, and !—that carry meaning in the query language. When an application concatenates user input directly into an LDAP filter without escaping or parameterizing it, an attacker can inject these metacharacters to change the query's logic. For example, a login filter intended to match a specific username can be modified to match any user, or a search filter can be expanded to return unintended records. The vulnerability arises from treating user input as literal data when it is actually parsed as part of the query syntax.
03Real-World Impact
Successful LDAP injection can lead to authentication bypass (logging in without valid credentials), unauthorized disclosure of directory information (usernames, email addresses, phone numbers), account enumeration, and in some cases modification or deletion of directory entries. Organizations using LDAP for centralized authentication—common in enterprise environments—face the risk of widespread account compromise if the vulnerability exists in a critical application.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import ldap
username = request.args.get('user')
password = request.args.get('pass')
# Directly concatenating user input into LDAP filter
ldap_filter = f"(&(uid={username})(userPassword={password}))"
conn = ldap.initialize("ldap://ldap.example.com")
try:
result = conn.search_s("dc=example,dc=com", ldap.SCOPE_SUBTREE, ldap_filter)
if result:
print("Login successful")
except ldap.INVALID_SYNTAX_ERR:
print("Login failed")
Why it's vulnerable: User input is concatenated directly into the LDAP filter string. An attacker can inject characters like * or )( to alter the query logic—for example, entering * as the username makes the filter match any user.
Fixed pattern
import ldap
from ldap.filter import escape_filter_chars
username = request.args.get('user')
password = request.args.get('pass')
# Escape special characters in user input
safe_username = escape_filter_chars(username)
safe_password = escape_filter_chars(password)
ldap_filter = f"(&(uid={safe_username})(userPassword={safe_password}))"
conn = ldap.initialize("ldap://ldap.example.com")
try:
result = conn.search_s("dc=example,dc=com", ldap.SCOPE_SUBTREE, ldap_filter)
if result:
print("Login successful")
except ldap.INVALID_SYNTAX_ERR:
print("Login failed")
Why it's vulnerable: User input from $_POST is inserted directly into the LDAP filter without escaping. Special LDAP characters in the input will be interpreted as query operators rather than literal data.
Always escape user input before including it in LDAP filters using language-specific escaping functions (ldap_escape() in PHP, escape_filter_chars() in Python's ldap library).
Use parameterized or prepared LDAP queries where available in your framework or library; avoid string concatenation.
Validate and allowlist input where possible—restrict usernames to alphanumeric characters and reject input containing LDAP metacharacters if the application logic permits.
Apply the principle of least privilege to LDAP service accounts; use read-only binds for authentication queries and restrict modification permissions.
Log and monitor LDAP queries for unusual patterns, such as filters containing wildcard characters or boolean operators in unexpected contexts.
Test authentication and search functions with input containing LDAP special characters (*, (, ), &, |, !) to verify escaping is working.
06Signs You May Already Be Affected
Check your application logs for LDAP errors or unexpected query patterns, particularly INVALID_SYNTAX_ERR exceptions or searches returning unusually large result sets. Review authentication logs for successful logins with suspicious usernames (e.g., containing * or parentheses), or unexpected directory entries being accessed or modified. If your application uses LDAP for authentication or directory lookups and user input is concatenated into filter strings without escaping, you are at risk.