Which attack targets directory services by manipulating LDAP statements constructed from user input?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which attack targets directory services by manipulating LDAP statements constructed from user input?

Explanation:
LDAP Injection happens when an application builds LDAP search filters using user-supplied data without escaping or proper validation. LDAP uses filters with parentheses and operators like AND, OR, and NOT, so if input is plugged directly into the filter, an attacker can alter the query’s logic. This can let them bypass authentication or retrieve more data than intended by injecting additional clauses into the LDAP query. For example, if a login routine creates a filter like (&(objectClass=person)(uid=userInput)), a crafted input can close the existing filter and append a new clause, changing the results the directory returns. This precisely describes manipulating LDAP statements constructed from user input. The other options relate to injecting HTML or server-side directives, or simply refer to the directory service itself, not to altering LDAP queries.

LDAP Injection happens when an application builds LDAP search filters using user-supplied data without escaping or proper validation. LDAP uses filters with parentheses and operators like AND, OR, and NOT, so if input is plugged directly into the filter, an attacker can alter the query’s logic. This can let them bypass authentication or retrieve more data than intended by injecting additional clauses into the LDAP query. For example, if a login routine creates a filter like (&(objectClass=person)(uid=userInput)), a crafted input can close the existing filter and append a new clause, changing the results the directory returns. This precisely describes manipulating LDAP statements constructed from user input. The other options relate to injecting HTML or server-side directives, or simply refer to the directory service itself, not to altering LDAP queries.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy