LDAP Injection

Risk:
High

Type:
Active

CWE:
90

Summary: LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.

Solution: Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be deny listed: & | ! < > = ~= >= <= * ( ) , + - " ' ; \ / NUL character

References

http://www.testingsecurity.com/how-to-test/injection-vulnerabilities/LDAP-Injection

https://owasp.org/www-community/attacks/LDAP_Injection