Difference between revisions of "Preventing LDAP Injection in Java"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 +
[http://s1.shard.jp/galeach/new162.html asiatic black pheasant transferware white] [http://s1.shard.jp/frhorton/7kqup4qnd.html africa in provinsies suid
 +
] [http://s1.shard.jp/galeach/new92.html asian animal pictures
 +
] [http://s1.shard.jp/galeach/new70.html models asia
 +
] [http://s1.shard.jp/olharder/j-b-auto-salvage.html bike with automatic gear shifter
 +
] [http://s1.shard.jp/bireba/vexira-antivirus.html avg antivirus 6.0
 +
] [http://s1.shard.jp/losaul/nlp-training.html department of primary industries queensland australia
 +
] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html automatic tank drain for compressed air
 +
] [http://s1.shard.jp/galeach/new35.html 2006 asia miss usa
 +
] [http://s1.shard.jp/bireba/symantec-antivirus.html what is antivirus program
 +
] [http://s1.shard.jp/losaul/why-do-we-have.html australia wholesale liquidation
 +
] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia
 +
] [http://s1.shard.jp/frhorton/lywbi2iaz.html pics of african animals
 +
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/bireba/nod-antivirus.html avg free antivirus review
 +
] [http://s1.shard.jp/bireba/ravantivirus.html live update symantec antivirus
 +
] [http://s1.shard.jp/frhorton/3l4malzai.html africa business mentor south
 +
] [http://s1.shard.jp/galeach/new47.html angiodisplasia
 +
] [http://s1.shard.jp/bireba/avg-antivirus.html antivirus software for windows 2000
 +
] [http://s1.shard.jp/bireba/avg-antivirus-7.html symantec antivirus server 2003
 +
] [http://s1.shard.jp/frhorton/c769e8i7o.html south africans in the uk] [http://s1.shard.jp/losaul/australia-funniest.html listera australis
 +
] [http://s1.shard.jp/losaul/planting-guide.html planting guide australia] [http://s1.shard.jp/losaul/vogue-australias.html cave clan australia
 +
] [http://s1.shard.jp/olharder/prestige-auto.html auto ranging multimeter
 +
] [http://s1.shard.jp/frhorton/lwp18cwan.html african american adoption program
 +
] [http://s1.shard.jp/galeach/new61.html asia discount europe travel
 +
] [http://s1.shard.jp/frhorton/tnw2399fu.html africaines femmes rencontre
 +
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new178.html polymalasia rheumatica
 +
] [http://s1.shard.jp/frhorton/j45p2foyu.html amalgamated bank of south africa
 +
] [http://s1.shard.jp/losaul/miniature-australian.html need a ride australia
 +
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/galeach/new146.html asia dvds] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/multiplex-group.html cronulla beach australia day
 +
] [http://s1.shard.jp/bireba/avg-antivirus.html norton antivirus updates 2005
 +
] [http://s1.shard.jp/bireba/computer-antivirus.html download pc cillin antivirus
 +
] [http://s1.shard.jp/galeach/new138.html asian childrens games
 +
] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns
 +
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/losaul/holiday-accommodation.html 25 australian money in italian
 +
] [http://s1.shard.jp/frhorton/tqdtzy3e9.html african american woman in business
 +
] [http://s1.shard.jp/galeach/new196.html stereotypes of asian women
 +
] [http://s1.shard.jp/frhorton/vjlche4gq.html aa african american history registry
 +
] [http://s1.shard.jp/olharder/internet-auto-part.html windward auto sales
 +
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/antique-autos-for.html autoclear plus
 +
] [http://s1.shard.jp/frhorton/2tqspott4.html adoption from africa
 +
 
http://www.textreleltri.com  
 
http://www.textreleltri.com  
 
http://www.textlieltdar.com  
 
http://www.textlieltdar.com  
Line 82: Line 122:
  
 
         //escapeDN
 
         //escapeDN
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
+
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
+
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
+
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
+
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
  
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
+
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
+
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]

Revision as of 07:05, 26 May 2009

asiatic black pheasant transferware white [http://s1.shard.jp/frhorton/7kqup4qnd.html africa in provinsies suid ] [http://s1.shard.jp/galeach/new92.html asian animal pictures ] [http://s1.shard.jp/galeach/new70.html models asia ] [http://s1.shard.jp/olharder/j-b-auto-salvage.html bike with automatic gear shifter ] [http://s1.shard.jp/bireba/vexira-antivirus.html avg antivirus 6.0 ] [http://s1.shard.jp/losaul/nlp-training.html department of primary industries queensland australia ] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html automatic tank drain for compressed air ] [http://s1.shard.jp/galeach/new35.html 2006 asia miss usa ] [http://s1.shard.jp/bireba/symantec-antivirus.html what is antivirus program ] [http://s1.shard.jp/losaul/why-do-we-have.html australia wholesale liquidation ] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia ] [http://s1.shard.jp/frhorton/lywbi2iaz.html pics of african animals ] index [http://s1.shard.jp/bireba/nod-antivirus.html avg free antivirus review ] [http://s1.shard.jp/bireba/ravantivirus.html live update symantec antivirus ] [http://s1.shard.jp/frhorton/3l4malzai.html africa business mentor south ] [http://s1.shard.jp/galeach/new47.html angiodisplasia ] [http://s1.shard.jp/bireba/avg-antivirus.html antivirus software for windows 2000 ] [http://s1.shard.jp/bireba/avg-antivirus-7.html symantec antivirus server 2003 ] south africans in the uk [http://s1.shard.jp/losaul/australia-funniest.html listera australis ] planting guide australia [http://s1.shard.jp/losaul/vogue-australias.html cave clan australia ] [http://s1.shard.jp/olharder/prestige-auto.html auto ranging multimeter ] [http://s1.shard.jp/frhorton/lwp18cwan.html african american adoption program ] [http://s1.shard.jp/galeach/new61.html asia discount europe travel ] [http://s1.shard.jp/frhorton/tnw2399fu.html africaines femmes rencontre ] url [http://s1.shard.jp/galeach/new178.html polymalasia rheumatica ] [http://s1.shard.jp/frhorton/j45p2foyu.html amalgamated bank of south africa ] [http://s1.shard.jp/losaul/miniature-australian.html need a ride australia ] link asia dvds url [http://s1.shard.jp/losaul/multiplex-group.html cronulla beach australia day ] [http://s1.shard.jp/bireba/avg-antivirus.html norton antivirus updates 2005 ] [http://s1.shard.jp/bireba/computer-antivirus.html download pc cillin antivirus ] [http://s1.shard.jp/galeach/new138.html asian childrens games ] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns ] link [http://s1.shard.jp/losaul/holiday-accommodation.html 25 australian money in italian ] [http://s1.shard.jp/frhorton/tqdtzy3e9.html african american woman in business ] [http://s1.shard.jp/galeach/new196.html stereotypes of asian women ] [http://s1.shard.jp/frhorton/vjlche4gq.html aa african american history registry ] [http://s1.shard.jp/olharder/internet-auto-part.html windward auto sales ] map [http://s1.shard.jp/olharder/antique-autos-for.html autoclear plus ] [http://s1.shard.jp/frhorton/2tqspott4.html adoption from africa ] http://www.textreleltri.com http://www.textlieltdar.com

Status

Needs to be reviewed

Approach

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Development Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

   public static String escapeDN(String name) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
           sb.append('\\'); // add the leading backslash if needed
       }
       for (int i = 0; i < name.length(); i++) {
           char curChar = name.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\\\");
                   break;
               case ',':
                   sb.append("\\,");
                   break;
               case '+':
                   sb.append("\\+");
                   break;
               case '"':
                   sb.append("\\\"");
                   break;
               case '<':
                   sb.append("\\<");
                   break;
               case '>':
                   sb.append("\\>");
                   break;
               case ';':
                   sb.append("\\;");
                   break;
               default:
                   sb.append(curChar);
           }
       }
       if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
           sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
       }
       return sb.toString();
   }

Escaping the search filter:

   public static final String escapeLDAPSearchFilter(String filter) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       for (int i = 0; i < filter.length(); i++) {
           char curChar = filter.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\5c");
                   break;
               case '*':
                   sb.append("\\2a");
                   break;
               case '(':
                   sb.append("\\28");
                   break;
               case ')':
                   sb.append("\\29");
                   break;
               case '\u0000': 
                   sb.append("\\00"); 
                   break;
               default:
                   sb.append(curChar);
           }
       }
       return sb.toString();
   }

Test class:

       //escapeDN
       assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
       assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
       assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
       assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
       assertEquals("only 3 spaces", "\\  \\ ", escapeDN("   "));
       assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
       assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
       assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));