Ldap Injection in Flask
How Ldap Injection Manifests in Flask
Detecting LDAP injection in Flask applications requires both static code analysis and runtime testing. For static analysis, look for these patterns in your Flask codebase:
# Red flags - direct string interpolation
query = f"(uid={username})"
filter = "(cn=" + search_term + ")"
search_filter = "(mail=%s)" % email
# Safer alternatives
query = ldap3.utils.conv.escape_filter_chars(username)
filter = "(cn=" + ldap3.utils.conv.escape_filter_chars(search_term) + ")"
The ldap3.utils.conv.escape_filter_chars() function is your primary defense, escaping special LDAP characters like (, ), *, &, |, \, NUL, and others.
For runtime detection, middleBrick's API security scanner can identify LDAP injection vulnerabilities in your Flask endpoints. The scanner tests for LDAP injection by sending payloads that attempt to manipulate LDAP query logic. When you scan your Flask API with middleBrick, it evaluates endpoints for LDAP injection alongside 11 other security checks.
To scan your Flask API with middleBrick CLI:
npm install -g middlebrick
middlebrick scan http://localhost:5000/api/login
The scanner will test your login and search endpoints for LDAP injection patterns, providing a security score and specific findings. For example, it might detect that your /login endpoint is vulnerable to authentication bypass through LDAP query manipulation.
middleBrick's detection includes testing for:
- Authentication bypass attempts using LDAP OR/AND logic manipulation
- Directory traversal through crafted search filters
- Attribute disclosure via injection in attribute filters
- DN manipulation to escalate privileges
The scanner provides severity levels for each finding and maps vulnerabilities to OWASP API Top 10 categories, helping you prioritize fixes.
Flask-Specific Remediation
Remediating LDAP injection in Flask applications requires a combination of input validation, proper LDAP escaping, and architectural best practices. Here's how to secure your Flask LDAP code:
First, always use ldap3.utils.conv.escape_filter_chars() for any user input in LDAP filters:
from ldap3.utils.conv import escape_filter_chars
from flask import Flask, request
app = Flask(__name__)
@app.route('/login', methods=['POST'])
def login():
username = request.form['username']
password = request.form['password']
# Properly escaped LDAP filter
safe_username = escape_filter_chars(username)
query = f"(uid={safe_username})"
conn.search(search_base='dc=example,dc=com',
search_filter=query,
attributes=['dn'])
if conn.entries:
user_dn = conn.entries[0].dn
if conn.rebind(user=user_dn, password=password):
return 'Login successful'
else:
return 'Invalid credentials'
return 'User not found'
For search functionality, implement both escaping and input validation:
@app.route('/search', methods=['GET'])
def search():
search_term = request.args.get('q', '')
# Input validation - limit search patterns
if not re.match(r'^[a-zA-Z0-9_.@ -]+$', search_term):
return 'Invalid search term', 400
# LDAP escaping
safe_search = escape_filter_chars(search_term)
filter = f"(cn={safe_search}*)"
conn.search(search_base='dc=example,dc=com',
search_filter=filter,
attributes=['cn', 'mail'])
results = [{'name': entry.cn.value, 'email': entry.mail.value}
for entry in conn.entries]
return {'results': results}
For more complex scenarios, consider using parameterized LDAP queries if your LDAP library supports them, or implement a whitelist approach for known-good values.
Integrate LDAP injection testing into your Flask CI/CD pipeline using middleBrick's GitHub Action:
name: API Security Scan
on: [push, pull_request]
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run middleBrick security scan
run: |
npm install -g middlebrick
middlebrick scan https://your-flask-app.com/api --fail-below B
continue-on-error: trueThis configuration fails your build if the LDAP injection security score drops below a B grade, ensuring vulnerabilities are caught before deployment.
Additional Flask-specific security measures include:
- Use Flask's
before_requestdecorators to validate and sanitize input across all LDAP endpoints - Implement rate limiting on authentication endpoints to slow down injection attempts
- Use Flask's configuration system to store LDAP connection details securely
- Consider using Flask's blueprints to isolate LDAP functionality for easier security auditing
Remember that LDAP injection is just one aspect of API security. middleBrick scans for 12 different security issues, providing comprehensive protection for your Flask APIs.
Frequently Asked Questions
How can I test my Flask LDAP endpoints for injection vulnerabilities?
middlebrick scan http://your-flask-app.com/api to get a security score and detailed findings. The tool tests authentication bypass, directory traversal, and privilege escalation scenarios specific to LDAP injection.