LDAP injection
Need
Prevention of LDAP injection attacks
Context
• Usage of Python 3 for writing and executing Python code
• Usage of django-auth-ldap for integrating LDAP authentication with Django
Description
1. Non compliant code
from django_auth_ldap.backend import LDAPBackend
def authenticate(request):
    username = request.POST['username']
    password = request.POST['password']
    backend = LDAPBackend()
...This code snippet is a simple authentication function in a Django application. It uses the `django_auth_ldap` library to authenticate users against an LDAP server. The function retrieves the username and password from the HTTP POST request and passes them to the `authenticate` method of the `LDAPBackend` class. The problem here is that the username and password are directly taken from the user input and are not sanitized before being used to construct the LDAP query. This means that if the user input contains special characters that are meaningful in an LDAP query, it could modify the query in unexpected ways. This is known as an LDAP injection vulnerability. For example, if the username is `admin)(uid=*))(|(uid=*`, it would return all users since the query becomes `(uid=admin)(uid=*))(|(uid=*)`, which is always true. This could allow an attacker to bypass the authentication mechanism entirely. Moreover, if the user input contains characters that cause a syntax error in the LDAP query, it could lead to a Denial of Service (DoS) attack by causing the LDAP server to return an error instead of a valid response. The vulnerability could be exploited to bypass authentication, disclose sensitive information, modify data on the LDAP server, or even execute arbitrary commands on the server in some cases.
2. Steps
• Sanitize the input data: Ensure that the input data from the user is properly sanitized and validated before it is used in the LDAP query. This can be done by using regular expressions to check for and remove any special characters or LDAP control characters from the input.
• Use parameterized queries: Instead of concatenating user input directly into the LDAP query, use parameterized queries. This ensures that the user input is always treated as literal data and not part of the query syntax.
• Implement proper error handling: Do not reveal detailed error messages to the user as they can provide clues to an attacker about the structure of your LDAP query.
• Use least privilege principle: The LDAP connection should have the least privileges necessary to perform its required function. This can limit the potential damage of an LDAP injection attack.
• Use a Web Application Firewall (WAF): A WAF can help to detect and block LDAP injection attacks.
3. Secure code example
from django_auth_ldap.backend import LDAPBackend
import re
def sanitize_input(input_string):
    # Remove special characters
    sanitized_string = re.sub(r'[^\\w\\s]', '', input_string)
    return sanitized_string
def authenticate(request):...The updated code includes a function `sanitize_input` that uses a regular expression to remove any special characters from the input. This function is used to sanitize the `username` and `password` before they are used in the LDAP query. The `sanitize_input` function uses the `re.sub` function to replace any character that is not a word character (a-z, A-Z, 0-9, _) or a whitespace character with an empty string. This effectively removes any special characters or LDAP control characters from the input. The `authenticate` function then uses the sanitized `username` and `password` to authenticate the user. If the authentication is successful, the user is logged in. If the authentication fails, a response with the message "Invalid credentials" is returned. This code follows the principle of least privilege by only allowing the LDAP connection to authenticate users and not perform any other actions. It also does not reveal any detailed error messages to the user. In addition to these code changes, it is recommended to use a Web Application Firewall (WAF) to detect and block LDAP injection attacks.
References
• 107. LDAP injection