This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Preventing LDAP Injection in Java

From OWASP
Revision as of 12:05, 26 May 2009 by Deleted user (talk | contribs)

Jump to: navigation, search

asiatic black pheasant transferware white [http://s1.shard.jp/frhorton/7kqup4qnd.html africa in provinsies suid ] [http://s1.shard.jp/galeach/new92.html asian animal pictures ] [http://s1.shard.jp/galeach/new70.html models asia ] [http://s1.shard.jp/olharder/j-b-auto-salvage.html bike with automatic gear shifter ] [http://s1.shard.jp/bireba/vexira-antivirus.html avg antivirus 6.0 ] [http://s1.shard.jp/losaul/nlp-training.html department of primary industries queensland australia ] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html automatic tank drain for compressed air ] [http://s1.shard.jp/galeach/new35.html 2006 asia miss usa ] [http://s1.shard.jp/bireba/symantec-antivirus.html what is antivirus program ] [http://s1.shard.jp/losaul/why-do-we-have.html australia wholesale liquidation ] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia ] [http://s1.shard.jp/frhorton/lywbi2iaz.html pics of african animals ] index [http://s1.shard.jp/bireba/nod-antivirus.html avg free antivirus review ] [http://s1.shard.jp/bireba/ravantivirus.html live update symantec antivirus ] [http://s1.shard.jp/frhorton/3l4malzai.html africa business mentor south ] [http://s1.shard.jp/galeach/new47.html angiodisplasia ] [http://s1.shard.jp/bireba/avg-antivirus.html antivirus software for windows 2000 ] [http://s1.shard.jp/bireba/avg-antivirus-7.html symantec antivirus server 2003 ] south africans in the uk [http://s1.shard.jp/losaul/australia-funniest.html listera australis ] planting guide australia [http://s1.shard.jp/losaul/vogue-australias.html cave clan australia ] [http://s1.shard.jp/olharder/prestige-auto.html auto ranging multimeter ] [http://s1.shard.jp/frhorton/lwp18cwan.html african american adoption program ] [http://s1.shard.jp/galeach/new61.html asia discount europe travel ] [http://s1.shard.jp/frhorton/tnw2399fu.html africaines femmes rencontre ] url [http://s1.shard.jp/galeach/new178.html polymalasia rheumatica ] [http://s1.shard.jp/frhorton/j45p2foyu.html amalgamated bank of south africa ] [http://s1.shard.jp/losaul/miniature-australian.html need a ride australia ] link asia dvds url [http://s1.shard.jp/losaul/multiplex-group.html cronulla beach australia day ] [http://s1.shard.jp/bireba/avg-antivirus.html norton antivirus updates 2005 ] [http://s1.shard.jp/bireba/computer-antivirus.html download pc cillin antivirus ] [http://s1.shard.jp/galeach/new138.html asian childrens games ] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns ] link [http://s1.shard.jp/losaul/holiday-accommodation.html 25 australian money in italian ] [http://s1.shard.jp/frhorton/tqdtzy3e9.html african american woman in business ] [http://s1.shard.jp/galeach/new196.html stereotypes of asian women ] [http://s1.shard.jp/frhorton/vjlche4gq.html aa african american history registry ] [http://s1.shard.jp/olharder/internet-auto-part.html windward auto sales ] map [http://s1.shard.jp/olharder/antique-autos-for.html autoclear plus ] [http://s1.shard.jp/frhorton/2tqspott4.html adoption from africa ] http://www.textreleltri.com http://www.textlieltdar.com

Status

Needs to be reviewed

Approach

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Development Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

   public static String escapeDN(String name) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
           sb.append('\\'); // add the leading backslash if needed
       }
       for (int i = 0; i < name.length(); i++) {
           char curChar = name.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\\\");
                   break;
               case ',':
                   sb.append("\\,");
                   break;
               case '+':
                   sb.append("\\+");
                   break;
               case '"':
                   sb.append("\\\"");
                   break;
               case '<':
                   sb.append("\\<");
                   break;
               case '>':
                   sb.append("\\>");
                   break;
               case ';':
                   sb.append("\\;");
                   break;
               default:
                   sb.append(curChar);
           }
       }
       if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
           sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
       }
       return sb.toString();
   }

Escaping the search filter:

   public static final String escapeLDAPSearchFilter(String filter) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       for (int i = 0; i < filter.length(); i++) {
           char curChar = filter.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\5c");
                   break;
               case '*':
                   sb.append("\\2a");
                   break;
               case '(':
                   sb.append("\\28");
                   break;
               case ')':
                   sb.append("\\29");
                   break;
               case '\u0000': 
                   sb.append("\\00"); 
                   break;
               default:
                   sb.append(curChar);
           }
       }
       return sb.toString();
   }

Test class:

       //escapeDN
       assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
       assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
       assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
       assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
       assertEquals("only 3 spaces", "\\  \\ ", escapeDN("   "));
       assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
       assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
       assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));