LDAP injection is a type of security exploit that is used to compromise the authentication process used by some websites. Websites that construct Lightweight Directory Access Protocol statements from data provided by users are vulnerable to this type of attack.
LDAP directories store information, known as objects, for people, servers, printers, and roles. If the directory is used for website authentication, the attacker can enter malicious code into a user input field, gain unauthorized access to the directory and view or change usernames and passwords.
LDAP injection works in much the same manner as SQL injection, a type of security exploit in which the attacker adds SQL (Structured Query Language) code to a Web form. Both types of attacks primarily occur due to missing or weak input validation that does not reject malformed input or strip malicious LDAP control characters before including untrusted user input in a query.
According to security experts, the main reason that LDAP injection and similar exploits work is the fact that security is not sufficiently emphasized during the application development process. To protect the integrity of Web sites that use forms, experts recommend implementing a sanitization process to control the types and numbers of characters that can be accepted by input boxes as well as the use of multi-factor authentication (MFA) for public-facing web applications.sample code