LDAP Injection

User input is concatenated into an LDAP filter (uid=<input>) and the attacker injects filter syntax to alter the query. Most common in legacy directory-bound auth flows.

What it catches

Filter metacharacters: (, ), *, \, /
Boolean tautology filters: *)(uid=*), *)(|(uid=*))
NUL byte (\00) terminator
Distinguished-name (DN) metacharacters: ,, +, ", ;, <, >, =

Sample payload

// Before (login username)
"admin)(&(password=*))"

// After (sanitize via sanitizeLdapFilter)
"admin\\29\\28\\26\\28password=\\2A\\29\\29"

// In block mode: 403, vector=ldap, rule=patterns.ldap.filter-metacharacter

Configuration

import { sanitizeLdapFilter, sanitizeLdapDn } from '@arcis/node';

const safe = sanitizeLdapFilter(username);
const safeDn = sanitizeLdapDn(dn);

Disable

The detector is opt-in. Call sanitizeLdapFilter only where you build LDAP filters. There is no global setting to disable.

References

OWASP LDAP Injection
CWE-90
RFC 4515: LDAP Search Filter Syntax

← PreviousXXE Next →XPath Injection