LDAP Injection

What Is LDAP Injection?

LDAP Injection occurs when user input is concatenated directly into LDAP search filter strings without proper sanitization. Attackers can modify the filter logic to bypass authentication, enumerate users, or extract sensitive directory information.

How It Works

Authentication Bypass

A login form constructs this LDAP filter:

(&(uid={username})(password={password}))

Injecting *)(& as the username produces:

(&(uid=*)(&)(password=anything))

This always evaluates to true — the attacker is authenticated as the first user in the directory (usually admin).

User Enumeration

username: *)(uid=*))(|(uid=*

Produces a filter that matches all users, potentially leaking the entire directory.

Real-World Impact

• Full authentication bypass — login as any user without knowing their password
• Directory enumeration — extract all usernames, emails, and group memberships
• Privilege escalation — authenticate as admin accounts
• Data exfiltration — read sensitive attributes (phone numbers, addresses, organizational data)

How to Fix

Escape LDAP special characters before filter construction:

import ldap
safe_username = ldap.filter.escape_filter_chars(username)
filter_str = f"(&(uid={safe_username})(password={safe_password}))"

Use parameterized LDAP queries where available.

Validate input against a strict allowlist (alphanumeric + limited special chars).

What VibeWShield Detects

VibeWShield's LDAP Injection scanner tests login forms with three payloads: filter syntax breaks (*)(&), wildcard enumeration, and authentication bypass attempts. Detection is based on LDAP error signatures in responses or differential analysis between baseline and injected requests.