LDAP Injection

Type: Active Scan

Risk: High

Description

LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.

Solution

Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be blacklisted: & | ! <

= ~=

= <=

( ) , +

" ' ;
/ NUL character

References

CWE: 90

WASC: 29

Code

Last updated: 2020-08-11 10:22:14.660Z