Difference between revisions of "Preventing LDAP Injection in Java"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/losaul/exchange-rate-australian.html australia national flag
 
] [http://s1.shard.jp/olharder/automotive-executive.html auto clare
 
] [http://s1.shard.jp/galeach/new92.html asia video 42
 
] [http://s1.shard.jp/galeach/new83.html asiana restaurant london ontario
 
] [http://s1.shard.jp/olharder/route-66-auto.html prestige auto finance
 
] [http://s1.shard.jp/frhorton/3q938n1mz.html edgars stores south africa
 
] [http://s1.shard.jp/galeach/new136.html asian black bear] [http://s1.shard.jp/bireba/avg-free-antivirus.html etrust ez antivirus 2005
 
] [http://s1.shard.jp/losaul/save-the-children.html u2 concerts australia
 
] [http://s1.shard.jp/bireba/ca-etrust-antivirus.html whats the best antivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/losaul/why-do-we-have.html why do we have laws in australia] [http://s1.shard.jp/frhorton/lywbi2iaz.html meryls role in out of africa
 
] [http://s1.shard.jp/olharder/dealer-de-auto.html atm automated machine teller
 
] [http://s1.shard.jp/olharder/autobiographer.html automatic vents
 
] [http://s1.shard.jp/olharder/auto-a-vendre.html us 1 auto part
 
] [http://s1.shard.jp/bireba/norton-antivirus.html ravantivirus
 
] [http://s1.shard.jp/galeach/new8.html asian association machine pacific translation
 
] [http://s1.shard.jp/frhorton/9viywdetn.html african flying fox
 
] [http://s1.shard.jp/bireba/pc-cillin-antivirus.html kasperskys antivirus firewall
 
] [http://s1.shard.jp/frhorton/po4uhk6ve.html african tick bird giraffe
 
] [http://s1.shard.jp/losaul/2004-australian.html australian quantity surveyors
 
] [http://s1.shard.jp/losaul/idp-australia.html idp australia education] [http://s1.shard.jp/galeach/new114.html asia de cuba restaurant los angeles
 
] [http://s1.shard.jp/galeach/new46.html asian brides for sale
 
] [http://s1.shard.jp/losaul/australia-uranium.html australian idol concert
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html dod antivirus download
 
] [http://s1.shard.jp/bireba/avg-antivirus-linux.html avg antivirus linux] [http://s1.shard.jp/frhorton/fhh2j9s8e.html africanamericans
 
] [http://s1.shard.jp/olharder/12-auto-become-br.html 12 auto become br br break line poker tag] [http://s1.shard.jp/losaul/australian-emus.html australian emus] [http://s1.shard.jp/bireba/manually-updating.html antivirus free trial download
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/galeach/new193.html adrenal hypoplasia
 
] [http://s1.shard.jp/bireba/antivirus-windows.html lu1803 norton antivirus
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/losaul/jamberoo-recreation.html australian live music
 
] [http://s1.shard.jp/olharder/auto-panel-plus.html autocad lt download
 
] [http://s1.shard.jp/frhorton/6znbfza3k.html african wildlife fund
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/galeach/new68.html arab caucasian not
 
] [http://s1.shard.jp/frhorton/hpi2k8yhb.html africa animal wild
 
] [http://s1.shard.jp/olharder/autoridad-nacional.html auto insurance qoutes
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/losaul/australian-landrover.html legal careers australia
 
] [http://s1.shard.jp/olharder/autoextracom.html autoextra.com broadsearch car google knc kwcmp qw used] [http://s1.shard.jp/bireba/panda-free-antivirus.html mdaemon antivirus
 
] [http://s1.shard.jp/olharder/concession-auto.html autopsy doctors
 
 
[http://s1.shard.jp/galeach/new162.html asiatic black pheasant transferware white] [http://s1.shard.jp/frhorton/7kqup4qnd.html africa in provinsies suid
 
] [http://s1.shard.jp/galeach/new92.html asian animal pictures
 
] [http://s1.shard.jp/galeach/new70.html models asia
 
] [http://s1.shard.jp/olharder/j-b-auto-salvage.html bike with automatic gear shifter
 
] [http://s1.shard.jp/bireba/vexira-antivirus.html avg antivirus 6.0
 
] [http://s1.shard.jp/losaul/nlp-training.html department of primary industries queensland australia
 
] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html automatic tank drain for compressed air
 
] [http://s1.shard.jp/galeach/new35.html 2006 asia miss usa
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html what is antivirus program
 
] [http://s1.shard.jp/losaul/why-do-we-have.html australia wholesale liquidation
 
] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia
 
] [http://s1.shard.jp/frhorton/lywbi2iaz.html pics of african animals
 
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/bireba/nod-antivirus.html avg free antivirus review
 
] [http://s1.shard.jp/bireba/ravantivirus.html live update symantec antivirus
 
] [http://s1.shard.jp/frhorton/3l4malzai.html africa business mentor south
 
] [http://s1.shard.jp/galeach/new47.html angiodisplasia
 
] [http://s1.shard.jp/bireba/avg-antivirus.html antivirus software for windows 2000
 
] [http://s1.shard.jp/bireba/avg-antivirus-7.html symantec antivirus server 2003
 
] [http://s1.shard.jp/frhorton/c769e8i7o.html south africans in the uk] [http://s1.shard.jp/losaul/australia-funniest.html listera australis
 
] [http://s1.shard.jp/losaul/planting-guide.html planting guide australia] [http://s1.shard.jp/losaul/vogue-australias.html cave clan australia
 
] [http://s1.shard.jp/olharder/prestige-auto.html auto ranging multimeter
 
] [http://s1.shard.jp/frhorton/lwp18cwan.html african american adoption program
 
] [http://s1.shard.jp/galeach/new61.html asia discount europe travel
 
] [http://s1.shard.jp/frhorton/tnw2399fu.html africaines femmes rencontre
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/galeach/new178.html polymalasia rheumatica
 
] [http://s1.shard.jp/frhorton/j45p2foyu.html amalgamated bank of south africa
 
] [http://s1.shard.jp/losaul/miniature-australian.html need a ride australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/galeach/new146.html asia dvds] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/multiplex-group.html cronulla beach australia day
 
] [http://s1.shard.jp/bireba/avg-antivirus.html norton antivirus updates 2005
 
] [http://s1.shard.jp/bireba/computer-antivirus.html download pc cillin antivirus
 
] [http://s1.shard.jp/galeach/new138.html asian childrens games
 
] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/losaul/holiday-accommodation.html 25 australian money in italian
 
] [http://s1.shard.jp/frhorton/tqdtzy3e9.html african american woman in business
 
] [http://s1.shard.jp/galeach/new196.html stereotypes of asian women
 
] [http://s1.shard.jp/frhorton/vjlche4gq.html aa african american history registry
 
] [http://s1.shard.jp/olharder/internet-auto-part.html windward auto sales
 
] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/antique-autos-for.html autoclear plus
 
] [http://s1.shard.jp/frhorton/2tqspott4.html adoption from africa
 
 
 
http://www.textreleltri.com  
 
http://www.textreleltri.com  
 
http://www.textlieltdar.com  
 
http://www.textlieltdar.com  
Line 159: Line 82:
  
 
         //escapeDN
 
         //escapeDN
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
+
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
+
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
+
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
+
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
  
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
+
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
+
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]

Revision as of 11:00, 27 May 2009

http://www.textreleltri.com http://www.textlieltdar.com

Status

Needs to be reviewed

Approach

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Development Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

   public static String escapeDN(String name) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
           sb.append('\\'); // add the leading backslash if needed
       }
       for (int i = 0; i < name.length(); i++) {
           char curChar = name.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\\\");
                   break;
               case ',':
                   sb.append("\\,");
                   break;
               case '+':
                   sb.append("\\+");
                   break;
               case '"':
                   sb.append("\\\"");
                   break;
               case '<':
                   sb.append("\\<");
                   break;
               case '>':
                   sb.append("\\>");
                   break;
               case ';':
                   sb.append("\\;");
                   break;
               default:
                   sb.append(curChar);
           }
       }
       if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
           sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
       }
       return sb.toString();
   }

Escaping the search filter:

   public static final String escapeLDAPSearchFilter(String filter) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       for (int i = 0; i < filter.length(); i++) {
           char curChar = filter.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\5c");
                   break;
               case '*':
                   sb.append("\\2a");
                   break;
               case '(':
                   sb.append("\\28");
                   break;
               case ')':
                   sb.append("\\29");
                   break;
               case '\u0000': 
                   sb.append("\\00"); 
                   break;
               default:
                   sb.append(curChar);
           }
       }
       return sb.toString();
   }

Test class:

       //escapeDN
       assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
       assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
       assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
       assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
       assertEquals("only 3 spaces", "\\  \\ ", escapeDN("   "));
       assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
       assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
       assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));