LDAP injection

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article provides insufficient context for those unfamiliar with the subject. Please help improve the article by providing more context for the reader. (December 2016) (Learn how and when to remove this message) The topic of this article may not meet Wikipedia's general notability guideline. Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be merged, redirected, or deleted. Find sources: "LDAP injection" – news · newspapers · books · scholar · JSTOR (December 2016) (Learn how and when to remove this message) (Learn how and when to remove this message)

LDAP injection is a code injection technique used to exploit web applications which could reveal sensitive user information or modify information represented in the LDAP (Lightweight Directory Access Protocol) data stores.^[1][2][3] LDAP injection exploits a security vulnerability in an application by manipulating input parameters passed to internal search, add or modify functions. When an application fails to properly sanitize user input, it is possible for an attacker to modify a LDAP statement.

LDAP injection occurs when user input it not properly sanitized and then used as part of a dynamically generated LDAP filter. This results in potential manipulation of the LDAP statements performed on the LDAP server by the end-user to either view, modify, or bypass authentication credentials.

LDAP injection is a known attack and can be prevented by simple measures. All of the client supplied input must be checked/sanitized of any characters that may result in malicious behavior. The input validation should verify the input by checking for the presence of special characters that are a part of the LDAP query language, known data types, legal values, etc.. White list input validation can also be used to detect unauthorized input before it is passed to the LDAP query.

This article has not been added to any content categories. Please help out by adding categories to it so that it can be listed with similar articles. (December 2016)