This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "LDAP Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(setting up definition)
Line 13: Line 13:
 
# the widespread use of LDAP to authenticate users to systems.
 
# the widespread use of LDAP to authenticate users to systems.
  
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.
+
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to[[SQL Injection]] . LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit [[LDAP_injection]].
  
 
Primary Defenses:
 
Primary Defenses:

Revision as of 11:24, 29 October 2015

Cheatsheets-header.jpg

WORK IN PROGRESS

Last revision (mm/dd/yy): 10/29/2015

Introduction

This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. LDAP Injection attacks are somewhat common, and this is due to two factors:

  1. the lack of safer, parameterized LDAP query interfaces, and
  2. the widespread use of LDAP to authenticate users to systems.

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar toSQL Injection . LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit LDAP_injection.

Primary Defenses:

  • TBA

Additional Defenses:

  • TBA

Primary Defenses

Defense Option 1: TBA

TBA

Safe Java TBA Example

TBA

Safe C# .NET TBA Example

TBA

Defense Option 2: TBA

TBA

Safe Java TBA Example

TBA

Safe C# .NET TBA Example

TBA

Defense Option 3: Escaping All User Supplied Input

TBA

Additional Defenses

Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:

  • Least Privilege
  • White List Input Validation

Least Privilege

To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.

TBA

White List Input Validation

Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the Input Validation Cheat Sheet.

Related Articles

Description of LDAP Injection Vulnerabilities

How to Avoid SQL Injection Vulnerabilities


How to Review Code for LDAP Injection Vulnerabilities

How to Test for LDAP Injection Vulnerabilities

Authors and Primary Editors

Jim Manico - jim[at]owasp.org


Other Cheatsheets