This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Projects/OWASP Framework Security Project/Evaluations of LDAP Client APIs"
From OWASP
(→Overview) |
(→Notes) |
||
| Line 43: | Line 43: | ||
== Notes == | == Notes == | ||
| − | + | ||
| + | * ColdFusion 10: Besides not warning developers about the risk of LDAP Filter injection, [http://help.adobe.com/en_US/ColdFusion/10.0/Developing/WSc3ff6d0ea77859461172e0811cbec0eb56-7fe5.html this page] contains an example which is blatantly vulnerable to injection. Minus 2 points. | ||
| + | |||
| + | * PHP 5: Besides not warning developers about the risk of LDAP Filter injection, [http://php.net/manual/en/function.ldap-search.php this page] contains an example which leads developers a likely injection. Minus 1 point. | ||
== Tickets == | == Tickets == | ||
Revision as of 17:55, 19 January 2016
Here we evaluate and compare various LDAP Client APIs to understand how well they satisfy the Secure LDAP Client API Standard.
NOTE: Both the standard and evaluations below are in a draft state and are likely to change before formal publication.
Overview
| API | Grade | Documents the Security Risks of LDAP Filter Injection | Documents LDAP Bind Authentication Without Filter Queries | Provides an LDAP Filter Escape Function | Provides LDAP Filter Syntax Templates | Provides an Abstract API for LDAP Filter Queries | Supports LDAP with StartTLS | Supports LDAPS | Enables SSL/TLS Certificate Validation by Default | Documents the Customization of Trusted Certificate Authorities | Documents the Risk of Disabling Certificate Validation | Score |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Apache Directory LDAP API (java) | ? | NO | ? | ? | ? | ? | ? | ? | ||||
| ColdFusion 10 cfldap | ? | NO (-2) | ? | ? | ? | ? | ? | ? | ||||
| .NET 4.5 | ? | NO | ? | ? | ? | ? | ? | ? | ||||
| Perl Net::LDAP | ? | YES | ? | ? | ? | ? | ? | ? | ||||
| PHP 5 | ? | NO (-1) | ? | ? | ? | ? | ? | ? | ||||
| python-ldap | ? | YES | ? | ? | ? | ? | ? | ? |
Notes
- ColdFusion 10: Besides not warning developers about the risk of LDAP Filter injection, this page contains an example which is blatantly vulnerable to injection. Minus 2 points.
- PHP 5: Besides not warning developers about the risk of LDAP Filter injection, this page contains an example which leads developers a likely injection. Minus 1 point.
Tickets
TODO: here we keep track of links to bug submissions/feature requests sent to each API maintainer
