LDAP Injection

Need

To prevent unauthorized data access and manipulation through LDAP Injection attacks

Context

Usage of Elixir (v1.11+) with Erlang/OTP (v23+)
Usage of eldap library for LDAP operations in Erlang

Description

Non compliant code

defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller

  def index(conn, %{"username" => username}) do
    :eldap.open(["ldap.example.com"])
    search_filter = {:substrings, 'uid', [{:initial, username}]}
    {:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
    json(conn, result)
  end
end

In this insecure code, the Elixir application accepts a username from user input and uses it directly in an LDAP query. This can be exploited for an LDAP Injection attack, leading to unauthorized data access or manipulation.

Steps

Don't use user input directly in LDAP queries.
Sanitize user input before using it in a query.
Use parameterized queries or prepared statements if available.

Compliant code

defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller

  def index(conn, %{"username" => username}) do
    :eldap.open(["ldap.example.com"])
    username = String.replace(username, "(", "") |> String.replace(")", "")
    search_filter = {:substrings, 'uid', [{:initial, username}]}
    {:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
    json(conn, result)
  end
end

In this secure code, the application now sanitizes the user input by replacing potential LDAP Injection attack characters '('. The sanitized input is then used in the LDAP query.

References

107.LDAP injection

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​