LDAP Injection
Need
To prevent unauthorized data access and manipulation through LDAP Injection attacks
Context
• Usage of Elixir (v1.11+) with Erlang/OTP (v23+)
• Usage of eldap library for LDAP operations in Erlang
Description
1. Non compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def index(conn, %{"username" => username}) do
:eldap.open(["ldap.example.com"])
search_filter = {:substrings, 'uid', [{:initial, username}]}
{:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
end...In this insecure code, the Elixir application accepts a username from user input and uses it directly in an LDAP query. This can be exploited for an LDAP Injection attack, leading to unauthorized data access or manipulation.
2. Steps
• Don't use user input directly in LDAP queries.
• Sanitize user input before using it in a query.
• Use parameterized queries or prepared statements if available.
3. Secure code example
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def index(conn, %{"username" => username}) do
:eldap.open(["ldap.example.com"])
username = String.replace(username, "(", "") |> String.replace(")", "")
search_filter = {:substrings, 'uid', [{:initial, username}]}
json(conn, result)...In this secure code, the application now sanitizes the user input by replacing potential LDAP Injection attack characters '('. The sanitized input is then used in the LDAP query.
References
• 107. LDAP Injection