Classification of Lightweight Directory Access Protocol query injection attacks and mitigation techniques

摘要

The Lightweight Directory Access Protocol (LDAP) is used in a large number of web applications, and therefore, different types of LDAP injection attacks are becoming common. These injection attacks take advantage of an application not validating inputs before being used as part of LDAP queries. An attacker can provide inputs that may result in the alteration of intended LDAP query structure. The attacks can lead to various types of security breaches including Login Bypassing, Information Disclosure, Privilege Escalation, and Information Alteration. Despite many research efforts to prevent LDAP injection attacks, many web applications remain vulnerable to such attacks. In particular, there has been little attention given to implement and test secure web applications that can mitigate LDAP query injection attacks. More attention has been given to prevent Structured Query Language (SQL) injection attacks but these mitigation techniques cannot be directly applied in order to prevent LDAP injection attacks. This work provides analysis and classification of various types of LDAP injection attacks and mitigation techniques used to prevent them, and it highlights the differences between SQL and LDAP injection attacks.