What type of injection exploits web-based applications that construct LDAP statements based on user input?

LDAP injection is a type of attack that targets applications that interact with an LDAP (Lightweight Directory Access Protocol) server and construct LDAP statements based on user inputs. When user input is not properly sanitized or validated, an attacker can manipulate the input to alter the LDAP query structure. This might allow unauthorized actions, such as accessing or modifying directory information or bypassing authentication mechanisms.

Using crafted input, an attacker could introduce false data or extract sensitive information from the directory, potentially gaining access to confidential records or performing administrative tasks. It specifically exploits the way in which applications parse and process the user-submitted data to construct LDAP queries, which is why this choice is specifically correct in the context of the question.

Other types of injections mentioned, such as SQL injection, XML injection, and directory traversal, do not directly pertain to LDAP queries and target different types of data storage and access mechanisms. SQL injection focuses on manipulating SQL queries to gain unauthorized access to databases, XML injection deals with exploiting XML data, and directory traversal concerns accessing files and directories outside the intended path of a web application. Thus, LDAP injection is the most fitting answer for the type of exploitation described in the question.