Python Ldap Search Injection
Description
Detects LDAP injection vulnerabilities in Python code where user input could be used unsafely in LDAP search queries. This creates a risk where attackers can manipulate LDAP search filters to access or modify unauthorized directory data.
Detection Strategy
• Monitor calls to LDAP search functions in Python code
• Check if search filter parameters contain user-controlled or tainted input
• Flag cases where input is used directly in LDAP queries without proper sanitization or escaping
• Report vulnerability when dangerous expressions are found in LDAP search operations
Vulnerable code example
from flask import request
import ldap
def vulnerable_ldap():
username = request.args['username']
# VULNERABLE: Direct string concatenation of user input in LDAP filter
search_filter = "(uid=" + username + ")"
...✅ Secure code example
from flask import request
import ldap
import ldap.filter
def secure_ldap():
# Escape special characters to prevent LDAP injection
username = ldap.filter.escape_filter_chars(request.args['username'])
search_filter = "(uid=" + username + ")"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.