| Details | |
|---|---|
| Alert ID | 40015-2 |
| Alert Type | Active |
| Status | alpha |
| Risk | High |
| CWE | 90 |
| WASC | 29 |
| Technologies Targeted |
Protocol / LDAP |
| Tags |
API_2023_API4 CWE-90 HIPAA OWASP_2017_A01 OWASP_2021_A03 OWASP_2025_A05 PCI_DSS POLICY_PENTEST WSTG-V42-INPV-06 |
| More Info |
Scan Rule Help |
Summary
LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.
Solution
Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be deny listed: & | ! < > = ~= >= <= * ( ) , + - " ' ; \ / NUL characterOther Info
parameter [param] on [GET] [https://example.com/] may be vulnerable to LDAP injection, by using the logically equivalent expression [test)(objectClass=*], and FALSE expression [randomvalue].References
- https://owasp.org/www-community/attacks/LDAP_Injection
- https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html