HIGH CWE-90 Injection

CWE-90 in APIs

CWE ID: CWE-90
Category: Input Validation
Severity: HIGH
Short Name: LDAP Injection

What is CWE-90?

CWE-90 refers to the Improper Neutralization of Special Elements used in an LDAP Query (also known as LDAP Injection). This weakness occurs when an application constructs LDAP queries using untrusted input without proper neutralization, allowing attackers to manipulate the query logic.

According to MITRE, this weakness enables attackers to execute unintended LDAP commands, bypass authentication, access unauthorized data, or modify directory information. The vulnerability stems from directly embedding user-controlled data into LDAP filters, search bases, or other query components without validation or encoding.

LDAP (Lightweight Directory Access Protocol) is commonly used in enterprise environments for authentication, authorization, and directory services. When applications fail to properly sanitize LDAP query components, attackers can inject special characters like parentheses, asterisks, and ampersands to alter query logic.

CWE-90 in API Contexts

APIs that interact with LDAP directories face unique risks when handling user input for authentication, search, or data retrieval operations. Common API scenarios vulnerable to LDAP injection include:

Authentication endpoints that construct LDAP queries using username and password parameters
Search APIs that accept filter parameters from clients
Directory services that build queries based on user-provided attributes
Multi-tenant applications where tenant identifiers are used in LDAP queries

Consider an API endpoint that authenticates users against an LDAP directory:

const authenticate = async (req, res) => {
  const { username, password } = req.body;
  
  // Vulnerable: Direct string concatenation
  const filter = `(uid=${username})`;
  
  const result = await ldap.search(filter);
  
  // Authentication logic...
};

An attacker could submit username=*)(uid=*))(|(uid=* to manipulate the filter into (uid=*)(uid=*))(|(uid=*), potentially bypassing authentication or causing the query to return all users.

RESTful APIs that expose directory search functionality are particularly vulnerable when they accept complex filter parameters. An endpoint like /api/users/search?filter=(department=engineering) becomes dangerous if the filter parameter is directly embedded in LDAP queries without validation.

Detection

Detecting LDAP injection vulnerabilities requires both static analysis and dynamic testing approaches. For API developers, several detection strategies are effective:

Code review for unsafe patterns: Look for string concatenation in LDAP query construction, direct interpolation of user input, or missing input validation before LDAP operations.
Static analysis tools: Security scanners can identify potentially dangerous LDAP query construction patterns in source code.
Dynamic testing: Send crafted payloads to API endpoints to test for LDAP injection vulnerabilities.

middleBrick's API security scanner includes specialized detection for LDAP injection vulnerabilities. The scanner tests unauthenticated API endpoints by sending payloads designed to trigger LDAP-specific syntax. For example, it might test with parentheses, asterisks, and other special characters to see if they affect query results or cause errors that reveal backend implementation details.

The scanner evaluates several indicators of LDAP injection risk:

Response changes when special characters are included in parameters
Timing differences that suggest different query execution paths
Error messages containing LDAP-specific information
Unexpected data exposure when injecting OR/AND operators

middleBrick's approach is particularly valuable because it requires no credentials or configuration—just submit your API URL and receive a security score with findings. The scanner tests the actual attack surface exposed to unauthenticated users, which is critical for LDAP injection since many APIs allow directory browsing or search without authentication.

Remediation

Effective remediation of LDAP injection vulnerabilities requires a defense-in-depth approach. The primary strategies include input validation, parameterized queries, and proper escaping.

Input Validation

Validate all user input against expected patterns before using it in LDAP queries. For usernames, enforce strict character patterns:

const validateUsername = (username) => {
  // Allow only alphanumeric, dots, and underscores
  const usernamePattern = /^[a-zA-Z0-9._-]+$/;
  return usernamePattern.test(username);
};

// Reject if validation fails
if (!validateUsername(username)) {
  return res.status(400).json({ error: 'Invalid username format' });
}

Parameterized LDAP Queries

Use parameterized LDAP APIs when available. Many LDAP libraries support prepared statements or parameterized queries that automatically handle special character escaping:

// Using parameterized queries (if supported by your LDAP library)
const authenticate = async (req, res) => {
  const { username, password } = req.body;
  
  // Validate input first
  if (!validateUsername(username)) {
    return res.status(400).json({ error: 'Invalid username format' });
  }
  
  // Use parameterized search
  const result = await ldap.search({
    filter: '(uid=?', // Parameter placeholder
    params: [username]  // Automatically escaped
  });
  
  // Authentication logic...
};

LDAP-Specific Escaping

When parameterized queries aren't available, use proper LDAP escaping functions. Most LDAP libraries provide escaping utilities:

const { escapeDN, escapeFilter } = require('ldap-filter-escape');

const authenticate = async (req, res) => {
  const { username, password } = req.body;
  
  // Escape LDAP special characters
  const escapedUsername = escapeFilter(username);
  
  const filter = `(uid=${escapedUsername})`;
  
  const result = await ldap.search(filter);
  
  // Authentication logic...
};

Principle of Least Privilege

Configure LDAP directory access with minimal permissions. The application should use a dedicated service account with only the permissions needed for its operations, not a privileged directory administrator account.

API Design Considerations

Design your API to minimize LDAP injection surface area:

Avoid exposing complex filter parameters to clients
Use predefined search options instead of arbitrary filters
Implement API-level request validation before LDAP operations
Log and monitor for suspicious LDAP query patterns

After implementing these fixes, re-scan your API with middleBrick to verify the vulnerability is resolved and your security score improves. The scanner provides specific findings with severity levels and remediation guidance to help you track progress.

Frequently Asked Questions

How does LDAP injection differ from SQL injection?

Both involve injecting malicious input to manipulate query logic, but LDAP injection targets directory services rather than databases. LDAP uses different syntax (parentheses, ampersands, asterisks) and operates on hierarchical directory structures instead of relational tables. The injection techniques and payloads differ, though the underlying principle of untrusted input manipulation is the same.

Can middleBrick detect LDAP injection in my API automatically?

Yes, middleBrick's API security scanner tests for LDAP injection vulnerabilities by sending crafted payloads to your endpoints. The scanner evaluates how your API handles special characters and LDAP-specific syntax without requiring credentials or configuration. You simply submit your API URL and receive a security score with findings that include LDAP injection risk assessment and remediation guidance.