LDAP Injection - Elixir

LDAP Injection - Elixir

Need

To prevent unauthorized data access and manipulation through LDAP Injection attacks

Context

  • Usage of Elixir (v1.11+) with Erlang/OTP (v23+)
  • Usage of eldap library for LDAP operations in Erlang

Description

Non compliant code

        defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller

  def index(conn, %{"username" => username}) do
    :eldap.open(["ldap.example.com"])
    search_filter = {:substrings, 'uid', [{:initial, username}]}
    {:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
    json(conn, result)
  end
end
        
        

In this insecure code, the Elixir application accepts a username from user input and uses it directly in an LDAP query. This can be exploited for an LDAP Injection attack, leading to unauthorized data access or manipulation.

Steps

  • Don't use user input directly in LDAP queries.
  • Sanitize user input before using it in a query.
  • Use parameterized queries or prepared statements if available.

Compliant code

        defmodule MyAppWeb.UserController do
  use MyAppWeb, :controller

  def index(conn, %{"username" => username}) do
    :eldap.open(["ldap.example.com"])
    username = String.replace(username, "(", "") |> String.replace(")", "")
    search_filter = {:substrings, 'uid', [{:initial, username}]}
    {:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
    json(conn, result)
  end
end
        
        

In this secure code, the application now sanitizes the user input by replacing potential LDAP Injection attack characters '('. The sanitized input is then used in the LDAP query.

References