This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Projects/OWASP Framework Security Project/Secure LDAP API Standard"
(→Documents the Security Risks of LDAP Filter Injection) |
|||
| Line 1: | Line 1: | ||
This standard is designed to describe the specific properties secure LDAP APIs have. APIs with these properties help developers, regardless of their skill or experience with LDAP, avoid the most common and serious vulnerabilities associated with developing LDAP client software. | This standard is designed to describe the specific properties secure LDAP APIs have. APIs with these properties help developers, regardless of their skill or experience with LDAP, avoid the most common and serious vulnerabilities associated with developing LDAP client software. | ||
| − | + | '''Version: 0.1''' | |
= Properties of Safe LDAP APIs = | = Properties of Safe LDAP APIs = | ||
| Line 12: | Line 12: | ||
== Provides LDAP Filter Syntax Templates == | == Provides LDAP Filter Syntax Templates == | ||
| − | + | A "syntax template" is one way to offer an API to a developer which automatically encodes LDAP filter special characters in a safe-by-default way. Consider the pseudocode: | |
| + | <pre> | ||
| + | result = LDAPFilterQuery("(&(objectClass=user)(firstName=*?*)(lastName=*?*))", [first_name, last_name]) | ||
| + | </pre> | ||
| + | |||
| + | In this hypothetical API, the developer provides a LDAP filter query template in the first argument and a list of values as the second argument. Each "<code>?</code>" that appears in the template is bound in order to the value in the list. The <code>LDAPFilterQuery</code> function is responsible for automatically encoding the values stored in <code>first_name</code> and <code>last_name</code>. Note how this is very similar to parameterized prepared statements in SQL. | ||
| + | |||
| + | An LDAP API should provide either a system for filter syntax templates, or an Abstract API (see next item), or both. | ||
| + | |||
== Provides an Abstract API for LDAP Filter Queries == | == Provides an Abstract API for LDAP Filter Queries == | ||
Revision as of 02:27, 19 January 2016
This standard is designed to describe the specific properties secure LDAP APIs have. APIs with these properties help developers, regardless of their skill or experience with LDAP, avoid the most common and serious vulnerabilities associated with developing LDAP client software.
Version: 0.1
- 1 Properties of Safe LDAP APIs
- 1.1 Documents the Security Risks of LDAP Filter Injection
- 1.2 Provides an LDAP Filter Escape Function
- 1.3 Provides LDAP Filter Syntax Templates
- 1.4 Provides an Abstract API for LDAP Filter Queries
- 1.5 Supports LDAPS
- 1.6 Supports LDAP with StartTLS
- 1.7 Enables SSL/TLS Certificate Validation by Default
- 1.8 Documents the Customization of Trusted Certificate Authorities
- 2 Grading Scale
- 3 TODO
Properties of Safe LDAP APIs
Documents the Security Risks of LDAP Filter Injection
The API documentation should include a warning about the risks of LDAP filter injection. The warning should occur on pages associated with LDAP filters functionality so that it is hard for any programmer to miss. The warning maybe short (as little as one sentence), but should reference documentation that describes the risk of injections. Consider using LDAP injection or LDAP Injection Prevention Cheat Sheet as a reference.
Provides an LDAP Filter Escape Function
Escaping special characters in LDAP filter expressions is well described in section 4 of RFC 2254. The API should provide a function which accepts a string (potentially containing LDAP filter special characters) and returns a string with the same string with any special characters appropriately escaped. For example, the string "Asterisk (*) is more beautiful than backslash (\)." would be converted to "Asterisk \28\2a\29 is more beautiful than backslash \28\5c\29.".
Provides LDAP Filter Syntax Templates
A "syntax template" is one way to offer an API to a developer which automatically encodes LDAP filter special characters in a safe-by-default way. Consider the pseudocode:
result = LDAPFilterQuery("(&(objectClass=user)(firstName=*?*)(lastName=*?*))", [first_name, last_name])
In this hypothetical API, the developer provides a LDAP filter query template in the first argument and a list of values as the second argument. Each "?" that appears in the template is bound in order to the value in the list. The LDAPFilterQuery function is responsible for automatically encoding the values stored in first_name and last_name. Note how this is very similar to parameterized prepared statements in SQL.
An LDAP API should provide either a system for filter syntax templates, or an Abstract API (see next item), or both.
Provides an Abstract API for LDAP Filter Queries
TODO
Supports LDAPS
TODO
Supports LDAP with StartTLS
TODO
Enables SSL/TLS Certificate Validation by Default
TODO
Documents the Customization of Trusted Certificate Authorities
TODO
Grading Scale
TODO
TODO
- What other forms of encryption should we encourage? SASL and/or proprietary mechanisms?
- The LDAP injection page could use work. Some statements are a bit off base, and there should be a clearer statement of the risk.
