This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "LDAP injection"

From OWASP
Jump to: navigation, search
m (small typo fix and rewording)
 
(23 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
{{Template:Attack}}
 
{{Template:Attack}}
 +
 +
Last revision: '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
  
 
==Description==
 
==Description==
LDAP (Lightweight Directory Access Protocol) Injection is an attack used to exploit web based applications that construct LDAP statements from user input. When an application fails to sufficiently sanatize user input, it may be possible for an attacker to alter the construction of an LDAP statement. Due to the nature of web based applications the process will be run with the same permissions as the web server itself. Thus this could result in the execution of the command. Such a scenario could result in granting permissions to query, modify or remove anything inside the LDAP tree.
+
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree.
 +
The same advanced exploitation techniques available in [[SQL Injection]] can be similarly applied in LDAP Injection.
  
 
==References==
 
==References==
*[http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)]
+
* https://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
*[http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP]
 
 
 
==Related Attacks==
 
*[[Interpreter Injection]]
 
*[[SQL Injection]]
 
*[[Command Injection]]
 
 
 
==Related Vulnerabilities==
 
[[:Category:Lack of Input Validation]]
 
 
 
==Related Countermeasures==
 
[[:Category:Input Validation]]
 
  
==Categories==
+
__NOTOC__
[[Category:Injection Attack]]
 

Latest revision as of 16:25, 9 December 2016

This is an Attack. To view all attacks, please see the Attack Category page.


Last revision: 12/9/2016

Description

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

References


Retrieved from "https://wiki.owasp.org/index.php?title=LDAP_injection&oldid=224022"