- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services.
LDAP Injection is an attack technique used to exploit websites that construct LDAP statements from user-supplied input. Web applications may use user-supplied input to create custom LDAP statements for dynamic web page requests. When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement. When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can also be similarly applied in LDAP Injection, and can be remediated in similar ways.
For more information, head to the OWASP LDAP Injection Prevention Cheat Sheet.