LDAP Injection is an attack used to exploit web-based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it is possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permission to unauthorized queries and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
How to solve it
Define practises that reduce the risk and perform better checks to properly sanitize user inputs.
- Escape all variables using the right LDAP encoding function
- Use a framework (for example LINQtoAD) that escapes automatically