LDAP Injection in .NET Directory Services

High Risk Injection
csharpdotnetldapinjectiondirectory-services

What it is

LDAP injection vulnerabilities occur when untrusted user input is concatenated into LDAP filters or distinguished names without proper escaping. Attackers can modify LDAP query logic to bypass authentication, access unauthorized directory entries, extract sensitive information, or escalate privileges within Active Directory or LDAP systems.

using System.DirectoryServices;

public User FindUser(string username)
{
    // VULNERABLE: direct string interpolation in LDAP filter
    string filter = $"(sAMAccountName={username})";
    
    DirectorySearcher searcher = new DirectorySearcher();
    searcher.Filter = filter;
    
    SearchResult result = searcher.FindOne();
    return result != null ? new User(result) : null;
}

// Attack: username = "*)(objectClass=*))(&(objectClass=void"
// Result: (sAMAccountName=*)(objectClass=*))(&(objectClass=void)
// This bypasses authentication by matching any user
using System.DirectoryServices;
using System.Web.Security.AntiXss;
using System.Text.RegularExpressions;

public User FindUser(string username)
{
    // Validate input format
    if (!IsValidUsername(username))
    {
        return null;
    }
    
    // SECURE: escape LDAP special characters
    string escapedUsername = AntiXssEncoder.LdapFilterEncode(username);
    string filter = $"(sAMAccountName={escapedUsername})";
    
    DirectorySearcher searcher = new DirectorySearcher();
    searcher.Filter = filter;
    
    SearchResult result = searcher.FindOne();
    return result != null ? new User(result) : null;
}

private bool IsValidUsername(string username)
{
    // Only allow alphanumeric and specific characters
    return !string.IsNullOrEmpty(username) &&
           Regex.IsMatch(username, @"^[a-zA-Z0-9._-]+$") &&
           username.Length <= 100;
}

💡 Why This Fix Works

The vulnerable code uses string interpolation to build LDAP filters with user input, allowing attackers to inject malicious LDAP syntax. The secure version validates input format and uses AntiXssEncoder.LdapFilterEncode() to escape special LDAP characters before constructing the filter.

Why it happens

Using string interpolation or concatenation to build LDAP filters with user input.

Root causes

String Concatenation in LDAP Filters

Using string interpolation or concatenation to build LDAP filters with user input.

Missing LDAP Escaping

Not escaping special LDAP characters like *, (, ), \, null in user input.

Insufficient Input Validation

Not validating username format before constructing LDAP queries.

Fixes

1

Escape LDAP Filter Values

Use AntiXssEncoder.LdapFilterEncode() to escape special characters in filter values.

2

Validate Input Format

Use allowlist validation to accept only alphanumeric characters and specific allowed characters.

3

Use Parameterized LDAP

Where possible, use LDAP libraries with parameterization support.

Detect This Vulnerability in Your Code

Sourcery automatically identifies ldap injection in .net directory services and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities