[WEB SECURITY] LDAP query
White, Dain P
dainw at wsu.edu
Fri Sep 8 11:43:25 EDT 2006
Thanks everyone - now fully armed, I go forth to do battle with the
teeming hordes... Wish me luck...
~Dain
-----Original Message-----
From: Stephen de Vries [mailto:stephen at corsaire.com]
Sent: Friday, September 08, 2006 8:24 AM
To: White, Dain P
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] LDAP query
On 8 Sep 2006, at 22:03, White, Dain P wrote:
> Howdy group - been a while since I last posted, so I apologize in
> advance if this question has been asked and answered already.
>
> I have written a classic ASP LDAP connection to authenticate users of
> our active directory. Is there any special concerns I should take to
> sanitize the input prior to sending it into the LDAP connection? Are
> there any attack vectors for LDAP that are analogous to SQL injection
> attacks?
Yes and yes. There's a Java code snippet for escaping LDAP meta-
characters on the OWASP Java project:
http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
(Note that it is untested code)
For more information on LDAP injection see:
http://www.spidynamics.com/support/whitepapers/LDAPinjection.pdf
regards,
--
Stephen de Vries
Corsaire Ltd
E-mail: stephen at corsaire.com
Tel: +44 1483 226014
Fax: +44 1483 226068
Web: http://www.corsaire.com
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list