This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "LDAP Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
Line 27: Line 27:
 
==Defense Option 1: Escape All Variables ==
 
==Defense Option 1: Escape All Variables ==
  
;Safe Java TBA Example
+
;Safe Java Escaping Example
  
https://blogs.oracle.com/shankar/entry/what_is_ldap_injection
+
2008 Java article on LDAP injection defense: https://blogs.oracle.com/shankar/entry/what_is_ldap_injection
  
 
ESAPI for Java has two encoding functions for LDAP injection protection. http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html
 
ESAPI for Java has two encoding functions for LDAP injection protection. http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html
Line 53: Line 53:
  
 
;Safe C# .NET TBA Example
 
;Safe C# .NET TBA Example
 
LINQ to Active Directory: https://linqtoad.codeplex.com/
 
  
 
.NET AntiXSS (now the Encoder class) has LDAP encoding functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool). http://blogs.msdn.com/b/securitytools/archive/2010/09/30/antixss_2d00_4_2d00_0_2d00_release_2d00_notes.aspx
 
.NET AntiXSS (now the Encoder class) has LDAP encoding functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool). http://blogs.msdn.com/b/securitytools/archive/2010/09/30/antixss_2d00_4_2d00_0_2d00_release_2d00_notes.aspx
Line 64: Line 62:
 
LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.
 
LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.
  
==Defense Option 2: TBA==
+
==Defense Option 2: Frameworks that Automatically Protect from LDAP Injection ==
  
TBA
+
;Safe NET Example
 
 
;Safe Java TBA Example
 
 
 
TBA
 
 
 
;Safe C# .NET TBA Example
 
  
TBA
+
<i>LINQ to Active Directory</i> provides automatic LDAP encoding when building LDAP queries: https://linqtoad.codeplex.com/
  
 
==Defense Option 3: Escaping All User Supplied Input==
 
==Defense Option 3: Escaping All User Supplied Input==

Revision as of 11:37, 29 October 2015

Cheatsheets-header.jpg

WORK IN PROGRESS

Last revision (mm/dd/yy): 10/29/2015

Introduction

This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications.

LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit LDAP injection.

LDAP injection attacks are common due to two factors:

  1. The lack of safer, parameterized LDAP query interfaces
  2. The widespread use of LDAP to authenticate users to systems.

Primary Defenses:

  • Escape all variables using the right LDAP encoding function

Additional Defenses:

  • Use a framework (like LINQtoAD) that escapes automatically

Primary Defenses

Defense Option 1: Escape All Variables

Safe Java Escaping Example

2008 Java article on LDAP injection defense: https://blogs.oracle.com/shankar/entry/what_is_ldap_injection

ESAPI for Java has two encoding functions for LDAP injection protection. http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/Encoder.html

   /**
    * Encode data for use in LDAP queries.
    *
    * @param input the text to encode for LDAP
    *
    * @return input encoded for use in LDAP
    */
   String encodeForLDAP(String input);
   /**
    * Encode data for use in an LDAP distinguished name.
    *
    *  @param input the text to encode for an LDAP distinguished name
    *
    *  @return input encoded for use in an LDAP distinguished name
    */
   String encodeForDN(String input);


Safe C# .NET TBA Example

.NET AntiXSS (now the Encoder class) has LDAP encoding functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool). http://blogs.msdn.com/b/securitytools/archive/2010/09/30/antixss_2d00_4_2d00_0_2d00_release_2d00_notes.aspx

Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character.

Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string.

LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.

Defense Option 2: Frameworks that Automatically Protect from LDAP Injection

Safe NET Example

LINQ to Active Directory provides automatic LDAP encoding when building LDAP queries: https://linqtoad.codeplex.com/

Defense Option 3: Escaping All User Supplied Input

TBA

Additional Defenses

Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:

  • Least Privilege
  • White List Input Validation

Least Privilege

To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.

TBA

White List Input Validation

Input validation can be used to detect unauthorized input before it is passed to the SQL query. For more information please see the Input Validation Cheat Sheet.

Related Articles

Description of LDAP Injection Vulnerabilities

How to Avoid SQL Injection Vulnerabilities


How to Review Code for LDAP Injection Vulnerabilities

How to Test for LDAP Injection Vulnerabilities

Authors and Primary Editors

Jim Manico - jim[at]owasp.org


Other Cheatsheets