- An LDAP (Lightweight Directory Access Protocol) injection attack is done by exploiting the vulnerabilities of input validation to run arbitrary LDAP statements against information directories
- In the code snippet, searchRecord() method is used for searching the directory using LDAP protocol. However, the string filter used in the method does not perform adequate filtering resulting in executing specially crafted inputs
Insecure Code
LDAP Injection (Cont’d)
Secure Code
- The code uses whitelisting technique to sanitize inputs using strong String filter that contains valid characters
Cheng® 