The danger of an LDAP injection
LDAP injection is a type of attack on a web application where hackers place code in a user input field in an attempt to gain unauthorized access or information. Like SQL Injection, Java SQL injection or .NET SQL injection, an LDAP injection can lead to information theft, browser or session hijacking, defacement of website and worse.
In LDAP injection uses client-supplied data in LDAP (Lightweight Directory Access Protocol) statements without removing potentially harmful code from the request. When a web application doesn’t adequately sanitize user-supplied input, hackers may be able to change the construction of an LDAP statement which will run with the same permissions as the component that executed the command. An LDAP injection can result in serious security issues if the permissions grant the rights to query, modify or remove anything inside the LDAP tree.
For example, attackers might use an LDAP injection to insert malicious code that allows them to see all the usernames and passwords assigned to a system or to add their names as system administrators. A successful LDAP injection can be a major security breach, causing headaches, damaged reputation and financial losses for the unlucky company.
Prevent LDAP injection with Veracode
Veracode, a leader in cloud application security solutions, provides comprehensive, SaaS-based testing services available on demand to combat LDAP injection and other threats such as reflected XSS and SQL attacks. Veracode testing services can be integrated into every stage of the software development lifecycle (SDLC) and the agile testing process, helping developers and organizations to improve application security while reducing costs and accelerating development timelines.
Preventing LDAP injection requires defensive programming, sophisticated input validation, dynamic checks and static source code analysis. Incoming data validation can clean client-supplied data of any characters or scripts that could possibly be malicious. Outgoing data validation validates all data returned to the user as an added layer of security. And LDAP configuration implements tight access control on the data in the LDAP directory.
Veracode’s solutions can help with each of these approaches.
Comprehensive services for combating LDAP injection attacks
Veracode’s testing solutions for preventing LDAP injection include:
- Veracode Static Analysis IDE Scan, a service that scans in background as developers write code and provides immediate feedback to prevent errors in coding.
- Static Analysis, a service that scans binaries and identifies security flaws in a variety of major frameworks and languages to prevent LDAP injection in code that is written, purchased or assembled.
- Web Application Scanning, a tool for identifying LDAP injection in websites and web applications.
- Software Composition Analysis, for scanning open source code for vulnerabilities.
- Vendor Application Security Testing, for evaluating security risks in third-party applications.