# LDAP injection via user input in search filter allows unauthorized access to directory entries

- **ID:** `security/ldap-injection-via-user-input-in-search-filter`
- **Domain:** security
- **Category:** data_error
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

The application constructs an LDAP search filter by concatenating user-supplied input without sanitization, allowing an attacker to inject LDAP metacharacters (e.g., *, |, &) to modify the filter logic and retrieve unauthorized data.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| OpenLDAP 2.6.6 | active | — | — |
| Microsoft Active Directory | active | — | — |
| Spring LDAP 2.4.0 | active | — | — |
| Python ldap3 2.9.1 | active | — | — |

## Workarounds

1. **Use a dedicated LDAP encoding library to escape user input before constructing the filter. For Java, use `LdapName.escapeValue(input)` from Spring LDAP or `DefaultTemporaryDirectory` from Apache Directory API. Example: `String escapedInput = LdapName.escapeValue(userInput); String filter = "(&(uid=" + escapedInput + ")(objectClass=user))";`.** (92% success)
   ```
   Use a dedicated LDAP encoding library to escape user input before constructing the filter. For Java, use `LdapName.escapeValue(input)` from Spring LDAP or `DefaultTemporaryDirectory` from Apache Directory API. Example: `String escapedInput = LdapName.escapeValue(userInput); String filter = "(&(uid=" + escapedInput + ")(objectClass=user))";`.
   ```
2. **Implement input validation to allow only alphanumeric characters and specific safe characters (e.g., email format). Reject any input containing LDAP metacharacters. Example regex for username: `^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`.** (85% success)
   ```
   Implement input validation to allow only alphanumeric characters and specific safe characters (e.g., email format). Reject any input containing LDAP metacharacters. Example regex for username: `^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`.
   ```
3. **Use a whitelist approach by mapping user input to predefined filter values. For example, if the input is a department name, map it to a safe list: `String filter = "(&(department=" + departmentMap.get(input) + ")(objectClass=user))";`.** (80% success)
   ```
   Use a whitelist approach by mapping user input to predefined filter values. For example, if the input is a department name, map it to a safe list: `String filter = "(&(department=" + departmentMap.get(input) + ")(objectClass=user))";`.
   ```

## Dead Ends

- **Use a blacklist to block common LDAP metacharacters like * and |** — Attackers can use alternative characters or encoding (e.g., URL encoding, Unicode) to bypass the blacklist. Blacklists are incomplete and not a robust defense. (60% fail)
- **Escape only parentheses and asterisks in user input** — LDAP injection can also use other metacharacters like &, !, =, ~, or null bytes. Incomplete escaping leaves vulnerabilities. (45% fail)
- **Use a stored procedure or prepared statement (as in SQL) for LDAP queries** — LDAP does not support prepared statements in the same way as SQL. Parameterized queries are not available in most LDAP libraries, so this approach is not applicable. (80% fail)