Jose Maria ALONSO, Antonio GUZMAN, Marta BELTRAN, Rodolfo BORDON
.
DOI: 10.4236/wsn.2009.14030   PDF    HTML     10,953 Downloads   18,767 Views   Citations

Abstract

The increase in the number of databases accessed only by some applications has made code injection attacks an important threat to almost any current system. If one of these applications accepts inputs from a client and executes these inputs without first validating them, the attackers are free to execute their own queries and therefore, to extract, modify or delete the content of the database associated to the application. In this paper a deep analysis of the LDAP injection techniques is presented. Furthermore, a clear distinction between classic and blind injection techniques is made.

Keywords

Web Applications Security, Code Injection Techniques, LDAP

Share and Cite:

Conflicts of Interest

The authors declare no conflicts of interest.

References

[1]	S. Barnum and G. McGraw, “Knowledge for software security,” IEEE Security and Privacy Magazine, Vol. 3, No. 2, pp. 74–78, 2005.
[2]	E. Bertino, A. Kamra, and J. Early, “Pro?ling database applica-tion to detect SQL injection attacks,” in Proceedings of the IEEE International Performance, Computing, and Communications Conference, pp. 449–458. 2007.
[3]	X. Fug, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao, “A static analysis framework for detecting SQL injection vulner-abilities,” in Proceedings of the 31st Annual International Computer Software and Applications Conference, pp. 87–96, 2007.
[4]	E. Merlo, D. Letarte, and G. Antoniol, “SQL-injection security evolution analysis in PHP,” in Proceedings of the 9th IEEE International Workshop on Web Site Evolution, pp. 45–49, 2007.
[5]	S. Thomas and L. Williams, “Using automated ?x generation to secure SQL statements,” in Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems, pp. 9–19, 2007.
[6]	“XPath 1.0 speci?cation,” 1999, http://www.w3.org/TR/ xpath.
[7]	“XPath 2.0 speci?cation,” 2007, http://www.w3.org/TR/ xpath20/.
[8]	“RFC 1777: Lightweight Directory Access Protocol v2,” 1995, http://www.faqs.org/rfcs/rfc1777.html.
[9]	“RFC 2251: Lightweight Directory Access Protocol v3,” 1997, http://www.faqs.org/rfcs/rfc2251.html.
[10]	T. Holz, S. Marechal, and F. Raynal, “New threats and attacks on the world wide web,” IEEE Security and Privacy Magazine, Vol. 4, No. 2, 2006.
[11]	G. Hermosillo, R. Gomez, L. Seinturier, and L. Duchien, “AProSec: An aspect for programming secure web applica-tions,” in Proceedings of the Second International Conference on Availability, Reliability and Security, pp. 1026–1033, 2007.
[12]	N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for detecting web application vulnerabilities,” in Proceed-ings of the IEEE Symposium on Security and Privacy, pp. 6–15, 2006.
[13]	E. Jamhour, “Distributed security management using LDAP directories,” in Proceedings of the XXI Internatinal Conference of the Chilean Computer Science Society, pp. 144–153, 2001
[14]	R. Sari and S. Hidayat, “Integrating web server applications with LDAP authentication: Case study on human resources informa-tion system of ui,” in Proceedings of the International Sympo-sium on Communications and Information Technologies, pp. 307–312, 2006.
[15]	M. Wahl, T. Howes, and S. Kille, “Lightweight Directory Ac-cess Protocol (v3),” 1997, http://www.ietf.org/rfc/rfc2251.
[16]	V. Koutsonikola and A. Vakali, “LDAP: Framework, practices, and trends,” IEEE Internet Computing, Vol. 8, No. 5, pp. 66–72, 2004.
[17]	M. Russinovich and D. Solomon, Microsoft Windows Internals, Microsoft Press, 2004.
[18]	“OpenLDAP main page,” http://www.openldap.org.