|
|
(17 intermediate revisions by 2 users not shown) |
Line 2: |
Line 2: |
| <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> | | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | <b>WORK IN PROGRESS</b>
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | |
− | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html LDAP Injection Prevention Cheat Sheet] to see the latest version of the cheat sheet. |
− | = Introduction =
| |
− | __TOC__{{TOC hidden}}
| |
− | | |
− | This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications.
| |
− | | |
− | LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to [[SQL Injection]]. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit [[LDAP injection]].
| |
− | | |
− | [[LDAP injection]] attacks are common due to two factors:
| |
− | | |
− | # The lack of safer, parameterized LDAP query interfaces
| |
− | # The widespread use of LDAP to authenticate users to systems.
| |
− | | |
− | Primary Defenses:
| |
− | * TBA
| |
− | | |
− | Additional Defenses:
| |
− | * TBA
| |
− | | |
− | =Primary Defenses=
| |
− | | |
− | ==Defense Option 1: TBA==
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe Java TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe C# .NET TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ==Defense Option 2: TBA==
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe Java TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ;Safe C# .NET TBA Example
| |
− | | |
− | TBA
| |
− | | |
− | ==Defense Option 3: Escaping All User Supplied Input==
| |
− | | |
− | TBA
| |
− | | |
− | = Additional Defenses =
| |
− | | |
− | Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
| |
− | | |
− | * '''Least Privilege'''
| |
− | * '''White List Input Validation'''
| |
− | | |
− | == Least Privilege ==
| |
− | | |
− | To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
| |
− | | |
− | TBA
| |
− | | |
− | == White List Input Validation ==
| |
− | | |
− | Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the [[Input Validation Cheat Sheet]].
| |
− | | |
− | =Related Articles=
| |
− | | |
− | '''Description of LDAP Injection Vulnerabilities'''
| |
− | | |
− | * OWASP article on [[LDAP Injection]] Vulnerabilities
| |
− | | |
− | '''How to Avoid SQL Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to LDAP Injection | Avoid LDAP Injection]] Vulnerabilities
| |
− | * OWASP article on [[Preventing LDAP Injection in Java]]
| |
− | | |
− | | |
− | '''How to Review Code for LDAP Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for LDAP Injection|Review Code for LDAP Injection]] Vulnerabilities
| |
− | | |
− | '''How to Test for LDAP Injection Vulnerabilities'''
| |
− | | |
− | * [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for LDAP Injection (OTG-INPVAL-006)|Test for LDAP Injection]] Vulnerabilities
| |
− | | |
− | = Authors and Primary Editors =
| |
− | | |
− | Jim Manico - jim[at]owasp.org<br/>
| |
− | | |
− | | |
− | == Other Cheatsheets ==
| |
− | | |
− | {{Cheatsheet_Navigation_Body}}
| |
− | | |
− | [[Category:Cheatsheets]]
| |
− | [[Category:Popular]]
| |