This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "LDAP Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
(Authors and Primary Editors)
(Related Articles)
Line 68: Line 68:
 
=Related Articles=
 
=Related Articles=
  
'''SQL Injection Attack Cheat Sheets'''
+
'''Description of LDAP Injection Vulnerabilities'''
  
The following articles describe how to exploit different kinds of SQL Injection Vulnerabilities on various platforms that this article was created to help you avoid:
+
* OWASP article on [[LDAP Injection]] Vulnerabilities
  
<!--
+
'''How to Avoid SQL Injection Vulnerabilities'''
* Michael Daw : "SQL Injection Cheat Sheet" - michaeldaw.org/sql-injection-cheat-sheet/ - Note: This link is dead so we disabled it, if it comes back, we'll relink it as it was a good article.
 
-->
 
* Ferruh Mavituna : "SQL Injection Cheat Sheet" - http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
 
* RSnake : "SQL Injection Cheat Sheet-Esp: for filter evasion" - http://ha.ckers.org/sqlinjection/
 
 
 
'''Description of SQL Injection Vulnerabilities'''
 
 
 
* OWASP article on [[SQL Injection]] Vulnerabilities
 
* OWASP article on [[Blind_SQL_Injection]] Vulnerabilities
 
  
'''How to Avoid SQL Injection Vulnerabilities'''
+
* [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to LDAP Injection | Avoid LDAP Injection]] Vulnerabilities
 +
* OWASP article on [[Preventing LDAP Injection in Java]]
  
* [[:Category:OWASP Guide Project|OWASP Developers Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities
 
* OWASP article on [[Preventing SQL Injection in Java]]
 
* OWASP Cheat Sheet that provides [[Query_Parameterization_Cheat_Sheet|numerous language specific examples of parameterized queries using both Prepared Statements and Stored Procedures]]
 
* [http://bobby-tables.com/ The Bobby Tables site (inspired by the XKCD webcomic) has numerous examples in different languages of parameterized Prepared Statements and Stored Procedures]
 
  
'''How to Review Code for SQL Injection Vulnerabilities'''
+
'''How to Review Code for LDAP Injection Vulnerabilities'''
  
* [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities
+
* [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for LDAP Injection|Review Code for LDAP Injection]] Vulnerabilities
  
 
'''How to Test for SQL Injection Vulnerabilities'''
 
'''How to Test for SQL Injection Vulnerabilities'''
  
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities
+
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for LDAP Injection (OTG-INPVAL-006)|Test for LDAP Injection]] Vulnerabilities
  
 
= Authors and Primary Editors  =
 
= Authors and Primary Editors  =

Revision as of 08:15, 28 May 2015

Cheatsheets-header.jpg

Last revision (mm/dd/yy): 05/28/2015

Introduction

This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. LDAP Injection attacks are somewhat common, and this is due to two factors:

  1. the lack of safer, parameterized LDAP query interfaces, and
  2. the widespread use of LDAP to authenticate users to systems.

TBA

Primary Defenses:

  • TBA

Additional Defenses:

  • TBA

Primary Defenses

Defense Option 1: TBA

TBA

Safe Java TBA Example

TBA

Safe C# .NET TBA Example

TBA

Defense Option 2: TBA

TBA

Safe Java TBA Example

TBA

Safe C# .NET TBA Example

TBA

Defense Option 3: Escaping All User Supplied Input

TBA

Additional Defenses

Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:

  • Least Privilege
  • White List Input Validation

Least Privilege

To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.

TBA

White List Input Validation

Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the Input Validation Cheat Sheet.

Related Articles

Description of LDAP Injection Vulnerabilities

How to Avoid SQL Injection Vulnerabilities


How to Review Code for LDAP Injection Vulnerabilities

How to Test for SQL Injection Vulnerabilities

Authors and Primary Editors

Jim Manico - jim[at]owasp.org


Other Cheatsheets