This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Preventing LDAP Injection in Java"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/bireba/antivirus-f-prot.html symantec antivirus command line
 
] [http://s1.shard.jp/galeach/new168.html asian football federation
 
] [http://s1.shard.jp/galeach/new155.html asian dollz buddy icon
 
] [http://s1.shard.jp/losaul/australian-photography.html catholic dioceses in australia
 
] [http://s1.shard.jp/losaul/weight-loss-medication.html jocks journal australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/frhorton/a8agxerme.html south africa company information
 
] [http://s1.shard.jp/losaul/mudgee-australia.html pool pumps australia
 
] [http://s1.shard.jp/bireba/antivirus-software.html antivirus software for symbian] [http://s1.shard.jp/galeach/new163.html caucasian chalk circle brecht
 
] [http://s1.shard.jp/losaul/australia-british.html mobile phone review australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/bireba/anyware-antivirus.html panda software antivirus online
 
] [http://s1.shard.jp/olharder/ autocad object enablers
 
] [http://s1.shard.jp/olharder/automated-gasoline.html autonamecheck
 
] [http://s1.shard.jp/olharder/browning-semi.html automotive spray booth fan
 
] [http://s1.shard.jp/bireba/computer-associates.html crack for avg antivirus 7.0
 
] [http://s1.shard.jp/bireba/top-ten-antivirus.html avg antivirus professional crack
 
] [http://s1.shard.jp/galeach/new171.html population of asia in 2005
 
] [http://s1.shard.jp/bireba/antivirus-avg7.html per antivirus 9.10
 
] [http://s1.shard.jp/olharder/auto-el-loan.html auto titles virginia
 
] [http://s1.shard.jp/frhorton/kvvijfhfe.html african american easter sunday art
 
] [http://s1.shard.jp/galeach/new186.html east asia intel.com
 
] [http://s1.shard.jp/olharder/autodesk-symbols.html nelsons auto group
 
] [http://s1.shard.jp/bireba/avp-antivirus-free.html download avp antivirus
 
] [http://s1.shard.jp/losaul/digital-broadcasting.html building construction australia
 
] [http://s1.shard.jp/olharder/kurt-cobain-autograph.html auto finder luxury
 
] [http://s1.shard.jp/frhorton/rm22odke6.html african kopi luwak
 
] [http://s1.shard.jp/galeach/new88.html asian hair male style
 
] [http://s1.shard.jp/olharder/auto-club-country.html pas automation
 
] [http://s1.shard.jp/losaul/australia-food-product.html australia food picture
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/bireba/uninstall-norton.html uninstall norton antivirus 2003 professional] [http://s1.shard.jp/frhorton/2u1ol1yan.html climate map of africa
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/frhorton/kqcuriisf.html somalia africa
 
] [http://s1.shard.jp/galeach/new24.html bioasia.com
 
] [http://s1.shard.jp/losaul/australian-citizenship.html online business opportunities australia
 
] [http://s1.shard.jp/olharder/automotive-repair.html auto dvd radio
 
] [http://s1.shard.jp/frhorton/nypq37a4u.html african express banking corporation
 
] [http://s1.shard.jp/galeach/new36.html anastasia dream piece
 
] [http://s1.shard.jp/frhorton/y9my6dqry.html african crowned cranes
 
] [http://s1.shard.jp/olharder/auto-wrap-graphics.html autonomic nervous system sympathetic
 
] [http://s1.shard.jp/galeach/new187.html american asiatic underwriters
 
] [http://s1.shard.jp/galeach/new19.html straitstimes.asia1.com
 
] [http://s1.shard.jp/bireba/avg-antivirus.html uninstall norton antivirus corporate edition 9
 
] [http://s1.shard.jp/losaul/australia-from.html whos who in australia
 
] [http://s1.shard.jp/losaul/ australian teen magazines
 
 
 
==Status==
 
==Status==
 
Needs to be reviewed
 
Needs to be reviewed
Line 123: Line 80:
  
 
         //escapeDN
 
         //escapeDN
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
+
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
+
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
+
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
+
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
  
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
+
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
+
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]

Revision as of 12:50, 3 June 2009

Status

Needs to be reviewed

Approach

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Development Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

   public static String escapeDN(String name) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
           sb.append('\\'); // add the leading backslash if needed
       }
       for (int i = 0; i < name.length(); i++) {
           char curChar = name.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\\\");
                   break;
               case ',':
                   sb.append("\\,");
                   break;
               case '+':
                   sb.append("\\+");
                   break;
               case '"':
                   sb.append("\\\"");
                   break;
               case '<':
                   sb.append("\\<");
                   break;
               case '>':
                   sb.append("\\>");
                   break;
               case ';':
                   sb.append("\\;");
                   break;
               default:
                   sb.append(curChar);
           }
       }
       if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
           sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
       }
       return sb.toString();
   }

Escaping the search filter:

   public static final String escapeLDAPSearchFilter(String filter) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       for (int i = 0; i < filter.length(); i++) {
           char curChar = filter.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\5c");
                   break;
               case '*':
                   sb.append("\\2a");
                   break;
               case '(':
                   sb.append("\\28");
                   break;
               case ')':
                   sb.append("\\29");
                   break;
               case '\u0000': 
                   sb.append("\\00"); 
                   break;
               default:
                   sb.append(curChar);
           }
       }
       return sb.toString();
   }

Test class:

       //escapeDN
       assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
       assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
       assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
       assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
       assertEquals("only 3 spaces", "\\  \\ ", escapeDN("   "));
       assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
       assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
       assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));