This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Preventing LDAP Injection in Java"

From OWASP
Jump to: navigation, search
 
 
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
Question - would it be better to encode using a whitelist approach?  I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT)  
 
Question - would it be better to encode using a whitelist approach?  I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT)  
  
My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly.  [[User:Stephendv|Stephendv]] 07:23, 11 September 2006 (EDT)
+
:My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly.  [[User:Stephendv|Stephendv]] 07:23, 11 September 2006 (EDT)
 +
 
 +
::Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work [[User:Jeff Williams|Jeff Williams]] 15:33, 11 September 2006 (EDT)
 +
 
 +
While for DN there is some provision for specifying a byte encoding (\XX) there is by spec only certain characters that should be encoded: , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and " (quotation mark, ASCII 34)
 +
 
 +
Method 1: Escape chars, only , = + < > # ; \ are valid to be escaped:
 +
 
 +
CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB
 +
 
 +
Method 2: Replace with hex digits, unknown if all LDAP servers limit to just valid chars to escape:
 +
 
 +
CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB
 +
 
 +
Method 3: Quote attribute and escape \ or ":
 +
 
 +
"you need to escape a single backslash this way \\"

Latest revision as of 22:47, 14 November 2006

Question - would it be better to encode using a whitelist approach? I.e. encode everything that is not in a limited set of safe characters? Jeff Williams - 11:54, 14 August 2006 (EDT)

My only concern with that approach is that we'll be breaking the spec- some LDAP implementations may not handle escaped characters that are not meta-characters properly. Stephendv 07:23, 11 September 2006 (EDT)
Then perhaps a rule that only allows a limited set of characters AND encodes any of those that are meta-characters would work Jeff Williams 15:33, 11 September 2006 (EDT)

While for DN there is some provision for specifying a byte encoding (\XX) there is by spec only certain characters that should be encoded: , (comma), = (equals), + (plus), < (less than), > (greater than), # (number sign), ; (semicolon), \ (backslash), and " (quotation mark, ASCII 34)

Method 1: Escape chars, only , = + < > # ; \ are valid to be escaped:

CN=L. Eagle,O=Sue\, Grabbit and Runn,C=GB

Method 2: Replace with hex digits, unknown if all LDAP servers limit to just valid chars to escape:

CN=L. Eagle,O=Sue\2C Grabbit and Runn,C=GB

Method 3: Quote attribute and escape \ or ":

"you need to escape a single backslash this way \\"