保護DataHogo
Security Encyclopedia/Injections (Advanced)
highCWE-90A03:2021

LDAP Injection

User input inserted into LDAP search filters without escaping, allowing attackers to manipulate directory queries, bypass authentication, or extract sensitive directory data.

How It Works

LDAP filters use special characters like `*`, `(`, `)`, `\`, and `NUL`. If you build a filter string by concatenating user input, an attacker can inject these characters to alter the query. A login bypass looks like: username = `*)(uid=*))(|(uid=*` which turns a specific lookup into 'match everything'.

Vulnerable Code
// BAD: user input directly in LDAP filter
const filter = `(uid=${username})`; // username = '*)(uid=*))(|(uid=*'
const result = await ldapClient.search('dc=example,dc=com', { filter });
Secure Code
// GOOD: escape special LDAP characters
function escapeLdap(input: string): string {
  return input.replace(/[\\*()\x00]/g, (c) => `\\${c.charCodeAt(0).toString(16).padStart(2, '0')}`);
}
const filter = `(uid=${escapeLdap(username)})`;

Real-World Example

Enterprise apps using Active Directory or OpenLDAP for authentication are common targets. An LDAP injection in the login form can allow an attacker to authenticate as any user, including administrators, by manipulating the search filter.

How to Prevent It

  • Escape all special LDAP characters before building filter strings (use ldapjs's built-in escaping)
  • Use parameterized LDAP queries where your library supports them
  • Validate username format (alphanumeric only) before using it in any query
  • Apply principle of least privilege to the LDAP service account used by your app

Affected Technologies

nodejsPythonJavaPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

XXE — XML External Entity Injection

high

XML parsers configured to process external entity references, allowing attackers to read arbitrary files from the server or trigger SSRF by crafting a malicious XML payload.

CWE-611A05:2021

HTTP Header Injection (CRLF Injection)

medium

User-controlled input included in HTTP response headers without sanitization, allowing attackers to inject arbitrary headers or split the response into two separate HTTP responses.

CWE-113A03:2021

Email Header Injection

medium

Unsanitized user input used in email To, From, CC, or Subject fields, allowing attackers to inject additional recipients and turn your email server into a spam relay.

CWE-93A03:2021

Log Injection

low

User-supplied input written to logs without sanitization, allowing attackers to forge log entries, hide their tracks, or inject malicious content into log files.

CWE-117A09:2021