The Lightweight Directory Access Protocol (LDAP) is a standard application layer protocol in the Internet Protocol (IP) Suite used for accessing and maintaining distributed directory information services over a network. This is achieved by the protocol's methods to query and manipulate these directory services. Directory services are integral in setting up an Intranet and internet applications through allowing the sharing of the user, system, network, service, and application information on the network. For example, a corporate email for an organization and a telephone directory are both only achievable through directory services. As such, these records are always stored in an organized and often hierarchical structure.

With that in mind, an LDAP Injection is an attack technique which exploits websites which use LDAP statements supplied by the user. This is accomplished whenever a web page does not properly sanitize user-input and the attacker manipulates the LDAP statement for some malicious action. These attacks can cause serious security issues as the statement will be processed with the same permissions as the component that executed it such as a database server, a web application server, etc. As such, it is possible for the attacker to gain rights to query, modify, or even remove data in the LDAP tree.

Mitigation

As LDAP Injection is simple in nature, it is also very straightforward and equally as simple to mitigate these attacks. As mentioned before, the attacks are only possible when user-input is not properly sanitized and cleaned to prevent code injection. Therefore; having developers do their due diligence when designing systems which use the protocol and ensuring they sanitize and clean user-input with the right escape characters before using it will definitely prevent the injection-type attack. They should also pay close attention to the type of escaping used as there are different types depending on if the user input is used to create a Distinguished Name (DN) or as part of the search filter.