LDAP Vulnerability Detection in Web Applications

LDAP Vulnerability Detection in Web Applications

Hossain Shahriar (Kennesaw State University, Marietta, USA), Hisham Haddad (Kennesaw State University, Marietta, USA) and Pranahita Bulusu (Kennesaw State University, Marietta, USA)
Copyright: © 2017 |Pages: 20
DOI: 10.4018/IJSSE.2017100102
OnDemand PDF Download:
No Current Special Offers


Lightweight Directory Access Protocol (LDAP) is commonly used in web applications to provide lookup information and enforcing authentication. Web applications may suffer from LDAP injection vulnerabilities that can lead to security breaches such as login bypass and privilege escalation. This paper1 proposes OCL fault injection-based detection of LDAP injection attacks. The authors extract design-level information and constraints expressed in OCL and then randomly alter them to generate test cases that have the capability to uncover LDAP injection vulnerabilities. The authors proposed approaches to implement test case generation, and they used one open source PHP application and one custom application to evaluate the proposed approach. The analysis shows that this approach can detect LDAP injection vulnerabilities.
Article Preview

2. Background On Ldap Injection Attack

Figure 1 shows an example of LDAP directory tree structure. The tree is subdivided into different Organizational Units (ou) along with common names (cn) for each of them.

Figure 1.

Directory tree structure of LDAP server


For example, the organizational unit of Human Resources has common name as HR. Different entries of each organizational unit are given under the common name such as the employees working in a particular department and any document relevant to the particular department.

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing