|
|
(29 intermediate revisions by 3 users not shown) |
Line 2: |
Line 2: |
| <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
− | = Introduction =
| |
− | __TOC__{{TOC hidden}}
| |
| | | |
− | This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. [[LDAP Injection]] attacks are somewhat common, and this is due to two factors:
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html LDAP Injection Prevention Cheat Sheet] to see the latest version of the cheat sheet. |
− | | |
− | # the lack of safer, parameterized LDAP query interfaces, and
| |
− | # the widespread use of LDAP to authenticate users to systems.
| |
− | | |
− | TBA
| |
− | | |
− | Primary Defenses:
| |
− | * TBA
| |
− | | |
− | Additional Defenses:
| |
− | * TBA
| |
− | | |
− | =Primary Defenses=
| |
− | | |
− | ==Defense Option 1: TBA==
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe Java TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe C# .NET TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ==Defense Option 2: TBA==
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe Java TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe C# .NET TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ==Defense Option 3: Escaping All User Supplied Input==
| |
− | | |
− | TBA
| |
− | | |
− | = Additional Defenses =
| |
− | | |
− | Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
| |
− | | |
− | * '''Least Privilege'''
| |
− | * '''White List Input Validation'''
| |
− | | |
− | == Least Privilege ==
| |
− | | |
− | To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
| |
− | | |
− | TBA
| |
− | | |
− | == White List Input Validation ==
| |
− | | |
− | Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the [[Input Validation Cheat Sheet]].
| |
− | | |
− | =Related Articles=
| |
− | | |
− | '''SQL Injection Attack Cheat Sheets'''
| |
− | | |
− | The following articles describe how to exploit different kinds of SQL Injection Vulnerabilities on various platforms that this article was created to help you avoid:
| |
− | | |
− | <!--
| |
− | * Michael Daw : "SQL Injection Cheat Sheet" - michaeldaw.org/sql-injection-cheat-sheet/ - Note: This link is dead so we disabled it, if it comes back, we'll relink it as it was a good article.
| |
− | -->
| |
− | * Ferruh Mavituna : "SQL Injection Cheat Sheet" - http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
| |
− | * RSnake : "SQL Injection Cheat Sheet-Esp: for filter evasion" - http://ha.ckers.org/sqlinjection/
| |
− | | |
− | '''Description of SQL Injection Vulnerabilities'''
| |
− | | |
− | * OWASP article on [[SQL Injection]] Vulnerabilities
| |
− | * OWASP article on [[Blind_SQL_Injection]] Vulnerabilities
| |
− | | |
− | '''How to Avoid SQL Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities
| |
− | * OWASP article on [[Preventing SQL Injection in Java]]
| |
− | * OWASP Cheat Sheet that provides [[Query_Parameterization_Cheat_Sheet|numerous language specific examples of parameterized queries using both Prepared Statements and Stored Procedures]]
| |
− | * [http://bobby-tables.com/ The Bobby Tables site (inspired by the XKCD webcomic) has numerous examples in different languages of parameterized Prepared Statements and Stored Procedures]
| |
− | | |
− | '''How to Review Code for SQL Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities
| |
− | | |
− | '''How to Test for SQL Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities
| |
− | | |
− | = Authors and Primary Editors =
| |
− | | |
− | [[User:wichers|Dave Wichers - dave.wichers]][at]owasp.org<br/>
| |
− | Jim Manico - jim[at]owasp.org<br/>
| |
− | Matt Seil - mseil[at]acm.org
| |
− | | |
− | == Other Cheatsheets ==
| |
− | | |
− | {{Cheatsheet_Navigation_Body}}
| |
− | | |
− | [[Category:Cheatsheets]]
| |
− | [[Category:Popular]]
| |