This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "LDAP Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(Least Privilege)
m (Point to the official site)
 
(29 intermediate revisions by 3 users not shown)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
= Introduction  =
 
__TOC__{{TOC hidden}}
 
  
This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. [[LDAP Injection]] attacks are somewhat common, and this is due to two factors:
+
Please visit [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html LDAP Injection Prevention Cheat Sheet] to see the latest version of the cheat sheet.
 
 
# the lack of safer, parameterized LDAP query interfaces, and
 
# the widespread use of LDAP to authenticate users to systems.
 
 
 
TBA
 
 
 
Primary Defenses:
 
* TBA
 
 
 
Additional Defenses:
 
* TBA
 
 
 
=Primary Defenses=
 
 
 
==Defense Option 1: TBA==
 
 
 
TBA
 
 
 
;Safe Java TBA Example
 
 
 
TBA
 
 
 
;Safe C# .NET TBA Example
 
 
 
TBA
 
 
 
==Defense Option 2: TBA==
 
 
 
TBA
 
 
 
;Safe Java TBA Example
 
 
 
TBA
 
 
 
;Safe C# .NET TBA Example
 
 
 
TBA
 
 
 
==Defense Option 3: Escaping All User Supplied Input==
 
 
 
TBA
 
 
 
= Additional Defenses =
 
 
 
Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
 
 
 
* '''Least Privilege'''
 
* '''White List Input Validation'''
 
 
 
== Least Privilege ==
 
 
 
To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
 
 
 
TBA
 
 
 
== White List Input Validation ==
 
 
 
Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the [[Input Validation Cheat Sheet]].
 
 
 
=Related Articles=
 
 
 
'''SQL Injection Attack Cheat Sheets'''
 
 
 
The following articles describe how to exploit different kinds of SQL Injection Vulnerabilities on various platforms that this article was created to help you avoid:
 
 
 
<!--
 
* Michael Daw : "SQL Injection Cheat Sheet" - michaeldaw.org/sql-injection-cheat-sheet/ - Note: This link is dead so we disabled it, if it comes back, we'll relink it as it was a good article.
 
-->
 
* Ferruh Mavituna : "SQL Injection Cheat Sheet" - http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
 
* RSnake : "SQL Injection Cheat Sheet-Esp: for filter evasion" - http://ha.ckers.org/sqlinjection/
 
 
 
'''Description of SQL Injection Vulnerabilities'''
 
 
 
* OWASP article on [[SQL Injection]] Vulnerabilities
 
* OWASP article on [[Blind_SQL_Injection]] Vulnerabilities
 
 
 
'''How to Avoid SQL Injection Vulnerabilities'''
 
 
 
* [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities
 
* OWASP article on [[Preventing SQL Injection in Java]]
 
* OWASP Cheat Sheet that provides [[Query_Parameterization_Cheat_Sheet|numerous language specific examples of parameterized queries using both Prepared Statements and Stored Procedures]]
 
* [http://bobby-tables.com/ The Bobby Tables site (inspired by the XKCD webcomic) has numerous examples in different languages of parameterized Prepared Statements and Stored Procedures]
 
 
 
'''How to Review Code for SQL Injection Vulnerabilities'''
 
 
 
* [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities
 
 
 
'''How to Test for SQL Injection Vulnerabilities'''
 
 
 
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities
 
 
 
= Authors and Primary Editors  =
 
 
 
[[User:wichers|Dave Wichers - dave.wichers]][at]owasp.org<br/>
 
Jim Manico - jim[at]owasp.org<br/>
 
Matt Seil - mseil[at]acm.org 
 
 
 
== Other Cheatsheets ==
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
[[Category:Cheatsheets]]
 
[[Category:Popular]]
 

Latest revision as of 14:16, 15 July 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit LDAP Injection Prevention Cheat Sheet to see the latest version of the cheat sheet.