[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*
view XML

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

ID: 90Date: (C)2012-05-14   (M)2018-02-26
Type: weaknessStatus: DRAFT
Abstraction Type: Base


The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Applicable Platforms
Language Class: All
Technology Class: Database-Server

Time Of Introduction

  • Architecture and Design
  • Implementation

Related Attack Patterns

Common Consequences

ScopeTechnical ImpactNotes
Execute unauthorized code or commands
Read application data
Modify application data
An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior.

Detection Methods

Potential Mitigations

Input Validation
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

Factors: resultant to special character mismanagement, MAID, or blacklist/whitelist problems. Can be primary to authentication and verification errors.

Related CWETypeViewChain
CWE-90 ChildOf CWE-896 Category CWE-888  

Demonstrative Examples   (Details)

  1. The code below constructs an LDAP query using user input address data:

Observed Examples

  1. CVE-2005-2301 : Server does not properly escape LDAP queries, which allows remote attackers to cause a DoS and possibly conduct an LDAP injection attack.

For more examples, refer to CVE relations in the bottom box.

White Box Definitions

Black Box Definitions

Taxynomy Mappings

PLOVER  LDAP injection
OWASP Top Ten 2007 A2
Injection Flaws
LDAP Injection


  1. SPI Dynamics .Web Applications and LDAP Injection.

© 2013 SecPod Technologies