Details
Alert Id 40015
Alert Type Active
Status alpha
Risk High
CWE 90
WASC 29
Tags OWASP_2017_A01
OWASP_2021_A03
WSTG-V42-INPV-06

Summary

LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.

Solution

Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be deny listed: & | ! < > = ~= >= <= * ( ) , + - ' ' ; / NUL character

References

Code

org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java