LDAP injection abuses applications that build LDAP search filters from unsanitized input, common in enterprise login and directory lookups. By injecting filter metacharacters like *, (, ), and the & and | operators, an attacker can alter the query to bypass authentication or enumerate directory entries such as users and groups.
The generator outputs authentication-bypass filters like the wildcard *, the always-true filter *)(uid=*))(|(uid=*, and admin)(&) style injections that break out of the intended (uid=input) filter. These manipulate the AND/OR logic so the bind or search returns a matching account without a valid password.
Using the wildcard you can fingerprint values character by character, for example admin)(password=a* to test whether a password starts with 'a' based on whether a result returns. The LDAP Injection generator builds these wildcard and present/absent (attribute=*) filters so you can infer hidden attributes through boolean responses.
Yes. It is completely free and computes every filter locally in your browser, so no input ever reaches a server. Only use the generated LDAP payloads against directory services you are explicitly authorized to test.