This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "LDAP Injection Prevention Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Other Cheatsheets)
(Migration to GitHub)
Line 2: Line 2:
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
 
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div>
  
<b>WORK IN PROGRESS</b>
+
The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
  
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
+
Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.md LDAP Injection Prevention Cheat Sheet] to see the latest version of the cheat sheet.
= Introduction  =
 
__TOC__{{TOC hidden}}
 
 
 
This cheatsheet is focused on providing clear, simple, actionable guidance for preventing LDAP Injection flaws in your applications.
 
 
 
LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements through techniques similar to [[SQL Injection]]. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. For more information on LDAP Injection attacks, visit [[LDAP injection]].
 
 
 
[[LDAP injection]] attacks are common due to two factors:
 
 
 
# The lack of safer, parameterized LDAP query interfaces
 
# The widespread use of LDAP to authenticate users to systems.
 
 
 
Primary Defenses:
 
* Escape all variables using the right LDAP encoding function
 
 
 
Additional Defenses:
 
* Use a framework (like LINQtoAD) that escapes automatically
 
 
 
=Primary Defenses=
 
 
 
==Defense Option 1: Escape all variables using the right LDAP encoding function ==
 
 
 
The main way LDAP stores names is based on DN (distinguished name). You can think of this like a unique identifier. These are sometimes used to access resources, like a username.
 
 
 
A DN might look like this
 
cn=Richard Feynman, ou=Physics Department, dc=Caltech, dc=edu
 
or
 
uid=inewton, ou=Mathematics Department, dc=Cambridge, dc=com
 
 
 
There are certain characters that are considered special characters in a DN. The exhaustive list is the following: ',','\','#','+','<','>',';','"','=', and leading or trailing spaces
 
 
 
Each DN points to exactly 1 entry, which can be thought of sort of like a row in a RDBMS. For each entry, there will be 1 or more attributes which are analogous to RDBMS columns. If you are interested in searching through LDAP for users will certain attributes, you may do so with search filters. In a search filter, you can use standard boolean logic to get a list of users matching an arbitrary constraint. Search filters are written in Polish notation AKA prefix notation.
 
 
 
Example:
 
(&(ou=Physics)(|
 
(manager=cn=Freeman Dyson,ou=Physics,dc=Caltech,dc=edu)
 
(manager=cn=Albert Einstein,ou=Physics,dc=Princeton,dc=edu)
 
))
 
 
 
When building LDAP queries in application code, you MUST escape any untrusted data that is added to any LDAP query. There are two forms of LDAP escaping. Encoding for LDAP Search and Encoding for LDAP DN (distinguished name). The proper escaping depends on whether you are sanitizing input for a search filter, or you are using a DN as a username-like credential for accessing some resource.
 
 
 
;Safe Java Escaping Example
 
 
 
2008 Java article on LDAP injection defense: https://blogs.oracle.com/shankar/entry/what_is_ldap_injection
 
 
 
Legacy OWASP ESAPI for Java DefaultEncoder which includes encodeForLDAP(String) and encodeForDN(String): https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
 
 
 
;Safe C# .NET TBA Example
 
 
 
.NET AntiXSS (now the Encoder class) has LDAP encoding functions including Encoder.LdapFilterEncode(string), Encoder.LdapDistinguishedNameEncode(string) and Encoder.LdapDistinguishedNameEncode(string, bool, bool). http://blogs.msdn.com/b/securitytools/archive/2010/09/30/antixss_2d00_4_2d00_0_2d00_release_2d00_notes.aspx
 
 
 
Encoder.LdapFilterEncode encodes input according to RFC4515 where unsafe values are converted to \XX where XX is the representation of the unsafe character.
 
 
 
Encoder.LdapDistinguishedNameEncode encodes input according to RFC 2253 where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this a space or octothorpe (#) at the beginning of the input string is \ escaped as is a space at the end of a string.
 
 
 
LdapDistinguishedNameEncode(string, bool, bool) is also provided so you may turn off the initial or final character escaping rules, for example if you are concatenating the escaped distinguished name fragment into the midst of a complete distinguished name.
 
 
 
==Defense Option 2: Use Frameworks that Automatically Protect from LDAP Injection ==
 
 
 
;Safe NET Example
 
 
 
<i>LINQ to Active Directory</i> provides automatic LDAP encoding when building LDAP queries: https://linqtoad.codeplex.com/
 
 
 
==Defense Option 3: Additional Defenses ==
 
 
 
Beyond adopting one of the two primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are:
 
 
 
* '''Least Privilege'''
 
* '''White List Input Validation'''
 
 
 
== Least Privilege ==
 
 
 
To minimize the potential damage of a successful LDAP injection attack, you should minimize the privileges assigned to the LDAP binding account in your environment.  
 
 
 
== White List Input Validation ==
 
 
 
Input validation can be used to detect unauthorized input before it is passed to the LDAP query. For more information please see the [[Input Validation Cheat Sheet]].
 
 
 
= Related Articles =
 
 
 
* OWASP article on [[LDAP injection|LDAP Injection]] Vulnerabilities
 
* OWASP article on [[Preventing LDAP Injection in Java]]
 
* [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for LDAP Injection (OTG-INPVAL-006)|Test for LDAP Injection]] Vulnerabilities
 
 
 
= Authors and Primary Editors  =
 
 
 
Ben Weintraub - Ben[at]bluetalon.com<br/>
 
Jim Manico - jim[at]owasp.org<br/>
 
 
 
= Other Cheatsheets =
 
 
 
{{Cheatsheet_Navigation_Body}}
 
 
 
[[Category:Cheatsheets]]
 
[[Category:Popular]]
 

Revision as of 13:01, 14 February 2019

Cheatsheets-header.jpg

The Cheat Sheet Series project has been moved to GitHub!

Please visit LDAP Injection Prevention Cheat Sheet to see the latest version of the cheat sheet.