LDAP Injection
Description
LDAP injection attacks exploit LDAP queries to influence how data is returned by the LDAP, or in this case an Active Directory server. It is recommended that all input passed to LDAP querying systems encode the following values: null character, open parenthesis, close parenthesis, asterisk, and backslash.
Examples
Insecure Code
c#
UserPrincipal u = new UserPrincipal(AD); u.SamAccountName = userInput;Secure Code
c#
string encodedUserName = EncodeLDAPString(userInput); UserPrincipal u = new UserPrincipal(AD); u.SamAccountName = encodedUserName;Remediation
Encode user input for LDAP queries using a function like `EncodeLDAPString` to replace special characters.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0450 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-90 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | LDAP Injection, Active Directory |
| OWASP | A1:2017-Injection, A03:2021-Injection |