Details
Alert Id 40015
Alert Type Active Scan Rule
Status alpha
Risk High
CWE 90
WASC 29

Summary

LDAP Injection may be possible. It may be possible for an attacker to bypass authentication controls, and to view and modify arbitrary data in the LDAP directory.

Solution

Validate and/or escape all user input before using it to create an LDAP query. In particular, the following characters (or combinations) should be blacklisted: & | ! < > = ~= >= <= * ( ) , + - ' ' ; / NUL character

References

Code

org/zaproxy/zap/extension/ascanrulesAlpha/LdapInjectionScanRule.java