This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "LDAP Injection Prevention Cheat Sheet"
m |
m |
||
Line 10: | Line 10: | ||
This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. | This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. | ||
− | LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to [[SQL Injection]] . LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit [[LDAP_injection]]. | + | LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to [[SQL Injection]]. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit [[LDAP_injection]]. |
[[LDAP injection]] attacks are somewhat common, and this is due to two factors: | [[LDAP injection]] attacks are somewhat common, and this is due to two factors: |
Revision as of 11:26, 29 October 2015
WORK IN PROGRESS
Last revision (mm/dd/yy): 10/29/2015
Introduction
This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications.
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit LDAP_injection.
LDAP injection attacks are somewhat common, and this is due to two factors:
- The lack of safer, parameterized LDAP query interfaces
- The widespread use of LDAP to authenticate users to systems.
Primary Defenses:
- TBA
Additional Defenses:
- TBA
Primary Defenses
Defense Option 1: TBA
TBA
- Safe Java TBA Example
TBA
- Safe C# .NET TBA Example
TBA
Defense Option 2: TBA
TBA
- Safe Java TBA Example
TBA
- Safe C# .NET TBA Example
TBA
Defense Option 3: Escaping All User Supplied Input
TBA
Additional Defenses
Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
- Least Privilege
- White List Input Validation
Least Privilege
To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.
TBA
White List Input Validation
Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the Input Validation Cheat Sheet.
Related Articles
Description of LDAP Injection Vulnerabilities
- OWASP article on LDAP Injection Vulnerabilities
How to Avoid SQL Injection Vulnerabilities
- OWASP Developers Guide article on how to Avoid LDAP Injection Vulnerabilities
- OWASP article on Preventing LDAP Injection in Java
How to Review Code for LDAP Injection Vulnerabilities
- OWASP Code Review Guide article on how to Review Code for LDAP Injection Vulnerabilities
How to Test for LDAP Injection Vulnerabilities
- OWASP Testing Guide article on how to Test for LDAP Injection Vulnerabilities
Authors and Primary Editors
Jim Manico - jim[at]owasp.org