An attacker attempted to compromise a web form by inserting the following input into the username field:
Which of the following types of attacks was attempted?
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on
user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements
using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to
unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation
techniques available in SQL Injection can be similarly applied in LDAP Injection.
In a page with a user search form, the following code is responsible to catch input value and generate a LDAP
query that will be used in LDAP database.
<input type=”text” size=20 name=”userName”>Insert the username</input>
The LDAP query is narrowed down for performance and the underlying code for this function might be the
String ldapSearchQuery = “(cn=” + $userName + “)”;
If the variable $userName is not validated, it could be possible accomplish LDAP injection, as follows:
If a user puts “*” on box search, the system may return all the usernames on the LDAP base
If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password ( cn = jonys
) ( | (password = * ) )