How To Prevent LDAP Injection

Preventing LDAP Injection

Preventing LDAP Injection

If you are not already familiar with the concept of LDAP Injection, please review the article entitled “What Is LDAP Injection ?“.

To learn more about how to detect LDAP Injection vulnerabilities, please see the article entitled “How To Test For LDAP Injection“.

They key to preventing LDAP Injection is two-fold:

  • Perform input validation: Limit the character set and format to be what your requirements dictate and reject any input that fails to meet your expectations.  Perform input validation on both the client and the server.
  • Neutralize LDAP Meta-characters: The following characters should be “escaped” when they appear within inputs that are integrated into an LDAP query:
( ) < >
& * | =
; # \
+ ,  (Blank)

A meta-character is neutralized by preceding the character with a ‘\’ in Linux and Unix, and a ^ in Windows.

A final countermeasure that can be taken is to to whatever degree possible, write your LDAP search filter so that the input value(s) being integrated into the LDAP query appears as far to the right as possible.  This does not prevent injection in itself, but limits the damage that can be done if injection does occur.

About Affinity IT Security

We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and/or to train your developers and testers. Contact us to learn how to partner with us to protect your enterprise.



Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.