4. LDAP Injection
The Lightweight Directory Access Protocol(LDAP) is used to store
information about users hosts, and many other objects.
LDAP injection is a type of attack on a web application where attackers
place code in a user input field in an attempt to gain unauthorized access
or information.
8. Test Case
● <input type="text" size=20
name="name">Enter the
Username to search for</input>
● Searchfilter="(cn="+name+")"
admin)(|(password=*) (cn=admin)(|(password=*) )
15. Countermeasures
● LDAP special characters are safely escaped, including at least ( ) ! | & *
● Use Frameworks that Automatically Protect from LDAP Injection
○ LINQ to Active Directory provides LDAP encoding when building
LDAP queries.
● Least privilege