LDAP Injection Prevention Cheat Sheet




 * WORK IN PROGRESS*

Last revision (mm/dd/yy): // = Introduction =

This article is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications. LDAP Injection attacks are somewhat common, and this is due to two factors:


 * 1) the lack of safer, parameterized LDAP query interfaces, and
 * 2) the widespread use of LDAP to authenticate users to systems.

TBA

Primary Defenses:
 * TBA

Additional Defenses:
 * TBA

=Primary Defenses=

Defense Option 1: TBA
TBA


 * Safe Java TBA Example

TBA


 * Safe C# .NET TBA Example

TBA

Defense Option 2: TBA
TBA


 * Safe Java TBA Example

TBA


 * Safe C# .NET TBA Example

TBA

Defense Option 3: Escaping All User Supplied Input
TBA

= Additional Defenses =

Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:


 * Least Privilege
 * White List Input Validation

Least Privilege
To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.

TBA

White List Input Validation
Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the Input Validation Cheat Sheet.

=Related Articles=

Description of LDAP Injection Vulnerabilities


 * OWASP article on LDAP Injection Vulnerabilities

How to Avoid SQL Injection Vulnerabilities


 * OWASP Developers Guide article on how to Avoid LDAP Injection Vulnerabilities
 * OWASP article on Preventing LDAP Injection in Java

How to Review Code for LDAP Injection Vulnerabilities


 * OWASP Code Review Guide article on how to Review Code for LDAP Injection Vulnerabilities

How to Test for LDAP Injection Vulnerabilities


 * OWASP Testing Guide article on how to Test for LDAP Injection Vulnerabilities

= Authors and Primary Editors =

Jim Manico - jim[at]owasp.org