This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "LDAP injection"
Weilin Zhong (talk | contribs) (→Related Attacks) |
(Initial content) |
||
| Line 2: | Line 2: | ||
==Description== | ==Description== | ||
| + | LDAP (Lightweight Directory Access Protocol) Injection is an attack used to exploit web based applications by constructing LDAP statements from user input. When an application fails to sufficiently sanatize user input, it may be possible for an attacker to alter the construction of an LDAP statement. Due to the nature of web based applicationthe process will be run with the same permissions as the web server itself. Thus this could result in the execution of the command. Such a scenario could result in granting permissions to query, modify or remove anything inside the LDAP tree. | ||
| − | == | + | ==References== |
| − | + | *[http://www.ietf.org/rfc/rfc1960.txt A String Representation of LDAP Search Filters (RFC1960)] | |
| − | + | *[http://www.redbooks.ibm.com/redbooks/SG244986.html IBM RedBooks - Understanding LDAP] | |
==Related Attacks== | ==Related Attacks== | ||
| Line 16: | Line 17: | ||
==Related Countermeasures== | ==Related Countermeasures== | ||
| − | |||
[[:Category:Input Validation]] | [[:Category:Input Validation]] | ||
==Categories== | ==Categories== | ||
| − | |||
| − | |||
| − | |||
[[Category:Injection Attack]] | [[Category:Injection Attack]] | ||
Revision as of 18:20, 6 September 2006
- This is an Attack. To view all attacks, please see the Attack Category page.
Description
LDAP (Lightweight Directory Access Protocol) Injection is an attack used to exploit web based applications by constructing LDAP statements from user input. When an application fails to sufficiently sanatize user input, it may be possible for an attacker to alter the construction of an LDAP statement. Due to the nature of web based applicationthe process will be run with the same permissions as the web server itself. Thus this could result in the execution of the command. Such a scenario could result in granting permissions to query, modify or remove anything inside the LDAP tree.
References
Related Attacks
Related Vulnerabilities
Category:Lack of Input Validation
