Difference between revisions of "Preventing LDAP Injection in Java"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
[http://s1.shard.jp/frhorton/obe78uzn9.html lion sands river lodge south africa
 
] [http://s1.shard.jp/galeach/new89.html asian gallery punish
 
] [http://s1.shard.jp/losaul/australian-photography.html australia fishing championship
 
] [http://s1.shard.jp/losaul/australia-jeri.html australian shepherd arizona
 
] [http://s1.shard.jp/olharder/capital-one-auto.html virginia auto title pawn
 
] [http://s1.shard.jp/frhorton/fg84cc18u.html south africa music store
 
] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/losaul/australian-residency.html sip service australia
 
] [http://s1.shard.jp/olharder/j-b-auto-salvage.html casse automobile
 
] [http://s1.shard.jp/olharder/autopilot-off-clockwork.html auto body estimating programs
 
] [http://s1.shard.jp/losaul/how-to-train.html college of surgeons australia
 
] [http://s1.shard.jp/olharder/opforce-it-automation.html left eye autopsy photos
 
] [http://s1.shard.jp/losaul/real-estate.html map new zealand and australia
 
] [http://s1.shard.jp/losaul/wwe-wrestlemania.html australia hosting shared web
 
] [http://s1.shard.jp/olharder/autoroll-654.html index] [http://s1.shard.jp/olharder/autopilots-for.html andreas auto cheat game grand pc san theft
 
] [http://s1.shard.jp/frhorton/l2ids56ra.html african american civil memorial travel war
 
] [http://s1.shard.jp/bireba/download-kaspersky.html antivirus free download software
 
] [http://s1.shard.jp/galeach/new132.html trans asia hotel in colombo
 
] [http://s1.shard.jp/galeach/new127.html colorectal neoplasia
 
] [http://s1.shard.jp/losaul/simple-plan.html boatbuilders australia
 
] [http://s1.shard.jp/frhorton/ksxkt4yj6.html the world and a very small place in africa
 
] [http://s1.shard.jp/losaul/yamaha-motorcycle.html employment agency western australia
 
] [http://s1.shard.jp/bireba/how-to-activate.html pc penicillin antivirus
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html cyberscrub antivirus review
 
] [http://s1.shard.jp/galeach/new178.html salt lakes of asia
 
] [http://s1.shard.jp/olharder/history-of-automobile.html auto ballenger
 
] [http://s1.shard.jp/galeach/new95.html channelnewsasia.com.sg
 
] [http://s1.shard.jp/losaul/australia-brisbane.html alabama australian home sweet
 
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus and security software
 
] [http://s1.shard.jp/bireba/mcafee-free-antivirus.html ravantivirus
 
] [http://s1.shard.jp/olharder/autocad-2005-serial.html autocad 2005 serial no] [http://s1.shard.jp/frhorton/6znbfza3k.html african american house publishing
 
] [http://s1.shard.jp/losaul/dog-bike-trailer.html australia job sites
 
] [http://s1.shard.jp/bireba/escan-antivirus.html norton antivirus downloads free
 
] [http://s1.shard.jp/olharder/automation-home.html import auto repair chicago
 
] [http://s1.shard.jp/frhorton/nypq37a4u.html african american marriage seminar
 
] [http://s1.shard.jp/losaul/australian-sports.html ikonaustralia.+com
 
] [http://s1.shard.jp/losaul/emmigrating-australia.html australias funniest home video shows
 
] [http://s1.shard.jp/olharder/automotive-latch.html automotive latch] [http://s1.shard.jp/losaul/tents-australia.html boating supplies australia
 
] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/bireba/microworld-antivirus.html antivirus mcafee download
 
] [http://s1.shard.jp/bireba/download-norton.html panda antivirus free
 
] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/losaul/lucas-heights-australia.html pharmaceutical society of australia
 
] [http://s1.shard.jp/losaul/ice-tv-australia.html australia brachytherapy organisation
 
] [http://s1.shard.jp/olharder/download-autoroute.html auto arrange desktop icons
 
] [http://s1.shard.jp/bireba/avast-free-antivirus.html antivirus for macintosh
 
 
 
==Status==
 
==Status==
 
Needs to be reviewed
 
Needs to be reviewed
Line 124: Line 80:
  
 
         //escapeDN
 
         //escapeDN
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
+
         assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
+
         assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
+
         assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
+
         assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("only 3 spaces", "\\  \\ ", escapeDN("  "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
 
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
  
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
+
         assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
+
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
  
 
[[Category:OWASP Java Project]]
 
[[Category:OWASP Java Project]]

Revision as of 13:01, 29 May 2009

Status

Needs to be reviewed

Approach

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Development Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

   public static String escapeDN(String name) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
           sb.append('\\'); // add the leading backslash if needed
       }
       for (int i = 0; i < name.length(); i++) {
           char curChar = name.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\\\");
                   break;
               case ',':
                   sb.append("\\,");
                   break;
               case '+':
                   sb.append("\\+");
                   break;
               case '"':
                   sb.append("\\\"");
                   break;
               case '<':
                   sb.append("\\<");
                   break;
               case '>':
                   sb.append("\\>");
                   break;
               case ';':
                   sb.append("\\;");
                   break;
               default:
                   sb.append(curChar);
           }
       }
       if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
           sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
       }
       return sb.toString();
   }

Escaping the search filter:

   public static final String escapeLDAPSearchFilter(String filter) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       for (int i = 0; i < filter.length(); i++) {
           char curChar = filter.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\5c");
                   break;
               case '*':
                   sb.append("\\2a");
                   break;
               case '(':
                   sb.append("\\28");
                   break;
               case ')':
                   sb.append("\\29");
                   break;
               case '\u0000': 
                   sb.append("\\00"); 
                   break;
               default:
                   sb.append(curChar);
           }
       }
       return sb.toString();
   }

Test class:

       //escapeDN
       assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
       assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
       assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
       assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
       assertEquals("only 3 spaces", "\\  \\ ", escapeDN("   "));
       assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
       assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
       assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));