| Details | |
|---|---|
| Alert ID | 40015 |
| Alert Type | Active |
| Status | alpha |
| Risk | High |
| CWE | 90 |
| WASC | 29 |
| Technologies Targeted |
Protocol / LDAP |
| Tags |
OWASP_2017_A01 OWASP_2021_A03 WSTG-V42-INPV-06 |
| More Info |
Scan Rule Help |
Summary
LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.
Solution
Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be deny listed: & | ! < > = ~= >= <= * ( ) , + - " ' ; \ / NUL characterOther Info
References
- https://owasp.org/www-community/attacks/LDAP_Injection
- https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html