Discount Web Hosting Application Security Consortium Discount Hosting

where the permissions grant the rights to query, modify or remove

anything inside the LDAP tree.

The same advanced exploitation techniques available in SQL

Injection can also be similarly applied in LDAP Injection.

Example

Vulnerable code with comments:

line 0:

line 1:

line 2: <%@ Language=VBScript %>

line 3: <%

line 4:  Dim userName

line 5:  Dim filter

line 6:  Dim ldapObj

line 7:

line 8:  Const LDAP_SERVER = "ldap.example"

line 9:

line 10:

userName = Request.QueryString("user")

line 11:

line 12:

if( userName = "" ) then

line 13:

Response.Write("Invalid

request. Please specify a

valid user name
")

line 14:

Response.End()

line 15:

end if

line 16:

line 17:

line 18:

filter = "(uid=" + CStr(userName) +

")"

  searching

for the user entry

line 19:

line 20:

line 21:

 Creating the LDAP object and setting

the base dn

Copyright 2004, Web Application Security Consortium. All rights reserved.





Unlimited Web Hosting





  
    
      
        Home :: RegularHostingPlan :: 
          DatabaseHostingPlan :: 
          JavaHostingPlan :: 
          CompareOurPlans :: AboutUs - 
          Our Network :: 
          Testimonials 
          WhyChooseTotalRoute.net :: 
          MoneyBackQuarantee :: 
          SupportOnline :: FAQ :: 
          ControlPanel :: 
          24/7TechSupport :: 
          ContactUs :: 
          Order 
          TransferYourSite :: 
          Sitemap :: 
            TermsOfService
      Discount Web Hosting 
    
  
  
    
 
  
  
    Our partners:Jsp Web   Hosting 
      Unlimited Web Hosting 
      Cheapest Web   Hosting  Java Web Hosting 
      Web   Templates 
      Best Web Templates 
      Web Design   Templates 
      Interland Web Hosting 
      Cheap Web Hosting  
      Java Web Hosting   
      Tomcat Web Hosting 
      Quality Web   Hosting 
    Best Web Hosting  Mac Web   Hosting
  
  
    TotalRoute.net Business web hosting division of Vision Web Hosting Inc. All rights reserved.