|
|
| (25 intermediate revisions by 2 users not shown) |
| Line 2: |
Line 2: |
| | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | *WORK IN PROGRESS*
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html LDAP Injection Prevention Cheat Sheet] to see the latest version of the cheat sheet. |
| − | = Introduction =
| |
| − | __TOC__{{TOC hidden}}
| |
| − | | |
| − | This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. [[LDAP Injection]] attacks are somewhat common, and this is due to two factors:
| |
| − | | |
| − | # the lack of safer, parameterized LDAP query interfaces, and
| |
| − | # the widespread use of LDAP to authenticate users to systems.
| |
| − | | |
| − | TBA
| |
| − | | |
| − | Primary Defenses:
| |
| − | * TBA
| |
| − | | |
| − | Additional Defenses:
| |
| − | * TBA
| |
| − | | |
| − | =Primary Defenses=
| |
| − | | |
| − | ==Defense Option 1: TBA==
| |
| − | | |
| − | TBA
| |
| − | | |
| − | ;Safe Java TBA Example
| |
| − | | |
| − | TBA
| |
| − | | |
| − | ;Safe C# .NET TBA Example
| |
| − | | |
| − | TBA
| |
| − | | |
| − | ==Defense Option 2: TBA==
| |
| − | | |
| − | TBA
| |
| − | | |
| − | ;Safe Java TBA Example
| |
| − | | |
| − | TBA
| |
| − | | |
| − | ;Safe C# .NET TBA Example
| |
| − | | |
| − | TBA
| |
| − | | |
| − | ==Defense Option 3: Escaping All User Supplied Input==
| |
| − | | |
| − | TBA
| |
| − | | |
| − | = Additional Defenses =
| |
| − | | |
| − | Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
| |
| − | | |
| − | * '''Least Privilege'''
| |
| − | * '''White List Input Validation'''
| |
| − | | |
| − | == Least Privilege ==
| |
| − | | |
| − | To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
| |
| − | | |
| − | TBA
| |
| − | | |
| − | == White List Input Validation ==
| |
| − | | |
| − | Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the [[Input Validation Cheat Sheet]].
| |
| − | | |
| − | =Related Articles=
| |
| − | | |
| − | '''Description of LDAP Injection Vulnerabilities'''
| |
| − | | |
| − | * OWASP article on [[LDAP Injection]] Vulnerabilities
| |
| − | | |
| − | '''How to Avoid SQL Injection Vulnerabilities'''
| |
| − | | |
| − | * [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to LDAP Injection | Avoid LDAP Injection]] Vulnerabilities
| |
| − | * OWASP article on [[Preventing LDAP Injection in Java]]
| |
| − | | |
| − | | |
| − | '''How to Review Code for LDAP Injection Vulnerabilities'''
| |
| − | | |
| − | * [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for LDAP Injection|Review Code for LDAP Injection]] Vulnerabilities
| |
| − | | |
| − | '''How to Test for LDAP Injection Vulnerabilities'''
| |
| − | | |
| − | * [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for LDAP Injection (OTG-INPVAL-006)|Test for LDAP Injection]] Vulnerabilities
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Jim Manico - jim[at]owasp.org<br/>
| |
| − | | |
| − | | |
| − | == Other Cheatsheets ==
| |
| − | | |
| − | {{Cheatsheet_Navigation_Body}}
| |
| − | | |
| − | [[Category:Cheatsheets]]
| |
| − | [[Category:Popular]]
| |
