|
|
(26 intermediate revisions by 2 users not shown) |
Line 2: |
Line 2: |
| <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
− | = Introduction =
| |
− | __TOC__{{TOC hidden}}
| |
| | | |
− | This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. [[LDAP Injection]] attacks are somewhat common, and this is due to two factors:
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html LDAP Injection Prevention Cheat Sheet] to see the latest version of the cheat sheet. |
− | | |
− | # the lack of safer, parameterized LDAP query interfaces, and
| |
− | # the widespread use of LDAP to authenticate users to systems.
| |
− | | |
− | TBA
| |
− | | |
− | Primary Defenses:
| |
− | * TBA
| |
− | | |
− | Additional Defenses:
| |
− | * TBA
| |
− | | |
− | =Primary Defenses=
| |
− | | |
− | ==Defense Option 1: TBA==
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe Java TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe C# .NET TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ==Defense Option 2: TBA==
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe Java TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe C# .NET TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ==Defense Option 3: Escaping All User Supplied Input==
| |
− | | |
− | TBA
| |
− | | |
− | = Additional Defenses =
| |
− | | |
− | Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
| |
− | | |
− | * '''Least Privilege'''
| |
− | * '''White List Input Validation'''
| |
− | | |
− | == Least Privilege ==
| |
− | | |
− | To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
| |
− | | |
− | TBA
| |
− | | |
− | == White List Input Validation ==
| |
− | | |
− | Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the [[Input Validation Cheat Sheet]].
| |
− | | |
− | =Related Articles=
| |
− | | |
− | '''Description of LDAP Injection Vulnerabilities'''
| |
− | | |
− | * OWASP article on [[LDAP Injection]] Vulnerabilities
| |
− | | |
− | '''How to Avoid SQL Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to LDAP Injection | Avoid LDAP Injection]] Vulnerabilities
| |
− | * OWASP article on [[Preventing LDAP Injection in Java]]
| |
− | | |
− | | |
− | '''How to Review Code for LDAP Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for LDAP Injection|Review Code for LDAP Injection]] Vulnerabilities
| |
− | | |
− | '''How to Test for LDAP Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for LDAP Injection (OTG-INPVAL-006)|Test for LDAP Injection]] Vulnerabilities
| |
− | | |
− | = Authors and Primary Editors =
| |
− | | |
− | Jim Manico - jim[at]owasp.org<br/>
| |
− | | |
− | | |
− | == Other Cheatsheets ==
| |
− | | |
− | {{Cheatsheet_Navigation_Body}}
| |
− | | |
− | [[Category:Cheatsheets]]
| |
− | [[Category:Popular]]
| |