TL;DR
LDAP injection attacks happen when user input isn’t properly checked before being used in an LDAP query. This can let attackers modify the query to access or change data they shouldn’t. We’ll show you how to prevent this using parameterised queries and proper escaping.
Understanding the Problem
LDAP (Lightweight Directory Access Protocol) is often used for authentication and authorization. If your C# application builds LDAP queries by directly concatenating user input, it’s vulnerable. Imagine a simple search filter:
string username = userInput; // Get from form or API
string query = "(uid=" + username + ")"; // Build the query
If userInput is something like ) || true, the resulting query becomes:
(uid=") || true)"This could bypass authentication or return unintended results. The goal is to prevent attackers from injecting malicious code into your LDAP queries.
Solution: Parameterised Queries
Parameterised queries are the best way to avoid LDAP injection. They separate the query structure from the user-provided data, ensuring that input is treated as data and not part of the command itself.
Step 1: Use a Library That Supports Parameterisation
The standard .NET libraries (like System.DirectoryServices) support parameterised queries. Ensure you’re using a version that does.
Step 2: Construct the Query with Parameters
Instead of concatenating strings, use placeholders for user input and pass the values separately as parameters.
using System.DirectoryServices;
using System.DirectoryServices.Protocols;
// ... inside your method...
string username = userInput; // Get from form or API
string filter = "(uid={0})";
LdapConnection connection = new LdapConnection("ldap://your.ldap.server");
connection.Bind(username, password); // Bind with appropriate credentials
SearchRequest searchRequest = new SearchRequest("dc=example,dc=com", filter, SearchScope.Subtree);
searchRequest.Controls.Add(new ControlsControl());
SearchResult searchResult = connection.Search(searchRequest);
In this example, {0} is the placeholder for the username. The library will handle escaping and ensure it’s treated as a literal value.
Step 3: Handle Search Results
Process the results of your search request to retrieve the desired information.
Alternative: Proper Escaping (Less Recommended)
If you absolutely cannot use parameterised queries, you *must* properly escape user input. This is much more error-prone than using parameters and should be avoided if possible.
Step 1: Identify Characters to Escape
The characters that need escaping depend on the LDAP syntax. Common ones include:
*()<>
Step 2: Escape the Input
Write a function to escape these characters before including them in your query.
public static string EscapeLdapString(string input)
{
input = input.Replace(""