LDAP Injection
What can I do here?
Use this window to configure the web server's level of protection against LDAP injection.
|
Getting Here - Object Explorer > New > Host > Servers > Select Web Server > Web Server > Protections > Select LDAP Injection > Advanced
|
Components of LDAP Injection Protection
The LDAP Injection protection examines LDAP queries and enforces the following:
- Filter Injection protection rejects one of the & (AND), | (OR) and ! (NOT) logical operators in combination with unbalanced (or balanced but reversed) parentheses.
- DN Injection protection rejects Relative Distinguished Name (RDN) fields. RDN fields are not normally used explicitly in the LDAP queries. The list of RDN fields that this protection looks for can be customized. This makes it possible to control the use of customized LDAP fields, as well as standard ones.
This protection can identify "Percent Encoded" or "UTF-8 Encoded" expressions as well as text-based LDAP expressions. For details about LDAP, refer to RFC 1779.
What Part of the HTTP Request Is Searched?
LDAP queries are sent in HTTP Requests to the Web server.
The LDAP queries usually appear in the form fields of the HTTP Request (i.e., in the URL or HTTP Request body), but could also appear in other parts of the HTTP Request.
This protection searches for LDAP Injection either in the form fields of the HTTP Request, or in the whole Request — depending on the Security Level.
LDAP Injection Options
- High protects against Filter Injection and DN Injection. The protections searches the whole HTTP Request.
- Medium protects against Filter Injection and DN Injection. The protections searches in the form fields of the HTTP Request only (that is, in the URL and HTTP Request body).
- Low protects against Filter Injection. The protections searches in the form fields of the HTTP Request only (that is, in the URL and HTTP Request body).