You are a security engineer at a large corporation. During a routine security audit, you discover that the company's internal application is vulnerable to Lightweight Directory Access Protocol (LDAP) Injection attacks.

The application uses LDAP for user authentication and does not sanitize input when adding filter parameters.

Which of the following actions should you recommend to mitigate this vulnerability?

answer

Switch to a different authentication protocol like OAuth.


Implement SSL/TLS encryption for all data in transit.


Implement proper input validation and sanitization.


Disable all client-side scripting.

Correct choice: Implement proper input validation and sanitization.

Why:
- LDAP injection happens when untrusted input is concatenated into LDAP filters. Validating and sanitizing (or escaping) input prevents user-supplied characters from changing the query semantics.
- Best practices: use allow-list (whitelist) validation, escape LDAP filter/meta characters per RFC 4515 (e.g., *, (, ), \, NUL) or use your LDAP library's parameterized/escape APIs instead of string concatenation, and apply least privilege to LDAP accounts.

Why the others are insufficient:
- Switching to OAuth doesn’t directly fix LDAP injection in code that builds LDAP queries (it might avoid LDAP entirely, but is a major architecture change and not an immediate mitigation).
- SSL/TLS only protects data in transit; it doesn’t stop injection attacks.
- Disabling client-side scripting is irrelevant — LDAP injection is a server-side issue.

Recommend: implement input validation/escaping + use safe LDAP APIs (parameterized queries) and review/authenticate/account permissions.