Skip to main content

LDAP injection

Need

Prevention of LDAP injection attacks

Context

  • Usage of Python 3 for writing and executing Python code
  • Usage of django-auth-ldap for integrating LDAP authentication with Django

Description

Non compliant code

from django_auth_ldap.backend import LDAPBackend

def authenticate(request):
    username = request.POST['username']
    password = request.POST['password']

    backend = LDAPBackend()
    user = backend.authenticate(request, username=username, password=password)

    if user is not None:
        login(request, user)
    else:
        return HttpResponse("Invalid credentials")

This code snippet is a simple authentication function in a Django application. It uses the django_auth_ldap library to authenticate users against an LDAP server. The function retrieves the username and password from the HTTP POST request and passes them to the authenticate method of the LDAPBackend class.

The problem here is that the username and password are directly taken from the user input and are not sanitized before being used to construct the LDAP query. This means that if the user input contains special characters that are meaningful in an LDAP query, it could modify the query in unexpected ways. This is known as an LDAP injection vulnerability.

For example, if the username is admin)(uid=*))(|(uid=*, it would return all users since the query becomes (uid=admin)(uid=*))(|(uid=*), which is always true. This could allow an attacker to bypass the authentication mechanism entirely.

Moreover, if the user input contains characters that cause a syntax error in the LDAP query, it could lead to a Denial of Service (DoS) attack by causing the LDAP server to return an error instead of a valid response.

The vulnerability could be exploited to bypass authentication, disclose sensitive information, modify data on the LDAP server, or even execute arbitrary commands on the server in some cases.

Steps

  • Sanitize the input data: Ensure that the input data from the user is properly sanitized and validated before it is used in the LDAP query. This can be done by using regular expressions to check for and remove any special characters or LDAP control characters from the input.
  • Use parameterized queries: Instead of concatenating user input directly into the LDAP query, use parameterized queries. This ensures that the user input is always treated as literal data and not part of the query syntax.
  • Implement proper error handling: Do not reveal detailed error messages to the user as they can provide clues to an attacker about the structure of your LDAP query.
  • Use least privilege principle: The LDAP connection should have the least privileges necessary to perform its required function. This can limit the potential damage of an LDAP injection attack.
  • Use a Web Application Firewall (WAF): A WAF can help to detect and block LDAP injection attacks.

Compliant code

from django_auth_ldap.backend import LDAPBackend
import re

def sanitize_input(input_string):
    # Remove special characters
    sanitized_string = re.sub(r'[^\\w\\s]', '', input_string)
    return sanitized_string

def authenticate(request):
    username = sanitize_input(request.POST['username'])
    password = sanitize_input(request.POST['password'])

    backend = LDAPBackend()
    user = backend.authenticate(request, username=username, password=password)

    if user is not None:
        login(request, user)
    else:
        return HttpResponse("Invalid credentials")

The updated code includes a function sanitize_input that uses a regular expression to remove any special characters from the input. This function is used to sanitize the username and password before they are used in the LDAP query.

The sanitize_input function uses the re.sub function to replace any character that is not a word character (a-z, A-Z, 0-9, _) or a whitespace character with an empty string. This effectively removes any special characters or LDAP control characters from the input.

The authenticate function then uses the sanitized username and password to authenticate the user. If the authentication is successful, the user is logged in. If the authentication fails, a response with the message "Invalid credentials" is returned.

This code follows the principle of least privilege by only allowing the LDAP connection to authenticate users and not perform any other actions. It also does not reveal any detailed error messages to the user.

In addition to these code changes, it is recommended to use a Web Application Firewall (WAF) to detect and block LDAP injection attacks.

References

Last updated on