LDAP and XPath Injection: Enterprise Directory Attack Vectors

LDAP injection is a code injection attack that targets applications using Lightweight Directory Access Protocol (LDAP) to query directory services such as Active Directory, OpenLDAP, and other enterprise identity stores. An attacker manipulates LDAP queries by injecting special characters into user input that is concatenated into LDAP search filters.

Classified under CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query) and part of OWASP A03:2021 – Injection, LDAP injection is particularly dangerous in enterprise environments where directory services control authentication, authorization, and user management for thousands of employees.

XPath injection (CWE-643) is a closely related attack that targets XML-based data stores. When applications construct XPath queries from user input without sanitization, attackers can extract data from XML documents, bypass authentication, or enumerate the document structure. Both vulnerabilities exploit the same root cause: untrusted input in query construction.

LDAP Injection

LDAP search filters use a prefix notation syntax. A typical authentication query looks like:

(&(uid=USERNAME)(userPassword=PASSWORD))

If the application concatenates user input directly:

String filter = "(&(uid=" + username + ")(userPassword=" + password + "))";

An attacker enters *)(uid=*))(|(uid=* as the username, modifying the filter logic to match any user. LDAP metacharacters like *, (, ), |, and & alter query semantics just as SQL metacharacters do in SQL injection.

XPath Injection

XPath queries against XML data are equally vulnerable to injection:

String query = "//users/user[name='" + username + "' and pass='" + password + "']";

An attacker enters ' or '1'='1 to bypass authentication, similar to SQL injection but targeting XML data stores.

Attack Consequences

• Authentication bypass by modifying filter logic to match any user
• Data extraction from directory services (email addresses, phone numbers, group memberships)
• Privilege escalation by querying administrative group memberships
• Denial of service through crafted queries that return excessive results

LDAP injection is predominantly an enterprise vulnerability because LDAP directories are enterprise infrastructure. The impact is amplified by what directory services contain:

• Active Directory environments: LDAP injection can expose the entire organizational structure—employee names, email addresses, department hierarchies, group memberships, and in misconfigured environments, password hashes.
• SSO and federation: Applications that authenticate against LDAP are often part of single sign-on chains. Bypassing LDAP authentication can grant access to dozens of connected applications.
• Legacy applications: Many enterprise applications built in the 2000s use LDAP for authentication with string concatenation—patterns that have never been updated to use parameterized LDAP queries.

Because LDAP injection targets authentication infrastructure, a single vulnerability can compromise access controls across an entire organization rather than a single application.

CodeSlick identifies LDAP and XPath injection patterns across Java, Python, JavaScript, and TypeScript applications:

• String concatenation and template literals used to construct LDAP search filters with user-controlled input
• XPath query construction from unsanitized variables
• Missing input sanitization for LDAP metacharacters (*, (, ), \)

All injection findings are classified with CWE-90 (LDAP) or CWE-643 (XPath), rated High to Critical severity, and include OWASP A03 mapping. CodeSlick's AI-powered fixes generate parameterized query alternatives specific to your LDAP library and framework.