Preventing LDAP Injection in Java

From OWASP
Revision as of 07:08, 26 May 2009 by ChipaSalba (Talk | contribs)

Jump to: navigation, search

[http://s1.shard.jp/losaul/exchange-rate-australian.html australia national flag ] [http://s1.shard.jp/olharder/automotive-executive.html auto clare ] [http://s1.shard.jp/galeach/new92.html asia video 42 ] [http://s1.shard.jp/galeach/new83.html asiana restaurant london ontario ] [http://s1.shard.jp/olharder/route-66-auto.html prestige auto finance ] [http://s1.shard.jp/frhorton/3q938n1mz.html edgars stores south africa ] asian black bear [http://s1.shard.jp/bireba/avg-free-antivirus.html etrust ez antivirus 2005 ] [http://s1.shard.jp/losaul/save-the-children.html u2 concerts australia ] [http://s1.shard.jp/bireba/ca-etrust-antivirus.html whats the best antivirus ] links why do we have laws in australia [http://s1.shard.jp/frhorton/lywbi2iaz.html meryls role in out of africa ] [http://s1.shard.jp/olharder/dealer-de-auto.html atm automated machine teller ] [http://s1.shard.jp/olharder/autobiographer.html automatic vents ] [http://s1.shard.jp/olharder/auto-a-vendre.html us 1 auto part ] [http://s1.shard.jp/bireba/norton-antivirus.html ravantivirus ] [http://s1.shard.jp/galeach/new8.html asian association machine pacific translation ] [http://s1.shard.jp/frhorton/9viywdetn.html african flying fox ] [http://s1.shard.jp/bireba/pc-cillin-antivirus.html kasperskys antivirus firewall ] [http://s1.shard.jp/frhorton/po4uhk6ve.html african tick bird giraffe ] [http://s1.shard.jp/losaul/2004-australian.html australian quantity surveyors ] idp australia education [http://s1.shard.jp/galeach/new114.html asia de cuba restaurant los angeles ] [http://s1.shard.jp/galeach/new46.html asian brides for sale ] [http://s1.shard.jp/losaul/australia-uranium.html australian idol concert ] [http://s1.shard.jp/bireba/symantec-antivirus.html dod antivirus download ] avg antivirus linux [http://s1.shard.jp/frhorton/fhh2j9s8e.html africanamericans ] 12 auto become br br break line poker tag australian emus [http://s1.shard.jp/bireba/manually-updating.html antivirus free trial download ] top [http://s1.shard.jp/galeach/new193.html adrenal hypoplasia ] [http://s1.shard.jp/bireba/antivirus-windows.html lu1803 norton antivirus ] top [http://s1.shard.jp/losaul/jamberoo-recreation.html australian live music ] [http://s1.shard.jp/olharder/auto-panel-plus.html autocad lt download ] [http://s1.shard.jp/frhorton/6znbfza3k.html african wildlife fund ] link [http://s1.shard.jp/galeach/new68.html arab caucasian not ] [http://s1.shard.jp/frhorton/hpi2k8yhb.html africa animal wild ] [http://s1.shard.jp/olharder/autoridad-nacional.html auto insurance qoutes ] page [http://s1.shard.jp/losaul/australian-landrover.html legal careers australia ] autoextra.com broadsearch car google knc kwcmp qw used [http://s1.shard.jp/bireba/panda-free-antivirus.html mdaemon antivirus ] [http://s1.shard.jp/olharder/concession-auto.html autopsy doctors ] asiatic black pheasant transferware white [http://s1.shard.jp/frhorton/7kqup4qnd.html africa in provinsies suid ] [http://s1.shard.jp/galeach/new92.html asian animal pictures ] [http://s1.shard.jp/galeach/new70.html models asia ] [http://s1.shard.jp/olharder/j-b-auto-salvage.html bike with automatic gear shifter ] [http://s1.shard.jp/bireba/vexira-antivirus.html avg antivirus 6.0 ] [http://s1.shard.jp/losaul/nlp-training.html department of primary industries queensland australia ] [http://s1.shard.jp/olharder/seiko-titanium-kinetic.html automatic tank drain for compressed air ] [http://s1.shard.jp/galeach/new35.html 2006 asia miss usa ] [http://s1.shard.jp/bireba/symantec-antivirus.html what is antivirus program ] [http://s1.shard.jp/losaul/why-do-we-have.html australia wholesale liquidation ] [http://s1.shard.jp/galeach/new71.html christian beliefs on euthanasia ] [http://s1.shard.jp/frhorton/lywbi2iaz.html pics of african animals ] index [http://s1.shard.jp/bireba/nod-antivirus.html avg free antivirus review ] [http://s1.shard.jp/bireba/ravantivirus.html live update symantec antivirus ] [http://s1.shard.jp/frhorton/3l4malzai.html africa business mentor south ] [http://s1.shard.jp/galeach/new47.html angiodisplasia ] [http://s1.shard.jp/bireba/avg-antivirus.html antivirus software for windows 2000 ] [http://s1.shard.jp/bireba/avg-antivirus-7.html symantec antivirus server 2003 ] south africans in the uk [http://s1.shard.jp/losaul/australia-funniest.html listera australis ] planting guide australia [http://s1.shard.jp/losaul/vogue-australias.html cave clan australia ] [http://s1.shard.jp/olharder/prestige-auto.html auto ranging multimeter ] [http://s1.shard.jp/frhorton/lwp18cwan.html african american adoption program ] [http://s1.shard.jp/galeach/new61.html asia discount europe travel ] [http://s1.shard.jp/frhorton/tnw2399fu.html africaines femmes rencontre ] url [http://s1.shard.jp/galeach/new178.html polymalasia rheumatica ] [http://s1.shard.jp/frhorton/j45p2foyu.html amalgamated bank of south africa ] [http://s1.shard.jp/losaul/miniature-australian.html need a ride australia ] link asia dvds url [http://s1.shard.jp/losaul/multiplex-group.html cronulla beach australia day ] [http://s1.shard.jp/bireba/avg-antivirus.html norton antivirus updates 2005 ] [http://s1.shard.jp/bireba/computer-antivirus.html download pc cillin antivirus ] [http://s1.shard.jp/galeach/new138.html asian childrens games ] [http://s1.shard.jp/frhorton/mz6vv73zx.html african inspired wedding gowns ] link [http://s1.shard.jp/losaul/holiday-accommodation.html 25 australian money in italian ] [http://s1.shard.jp/frhorton/tqdtzy3e9.html african american woman in business ] [http://s1.shard.jp/galeach/new196.html stereotypes of asian women ] [http://s1.shard.jp/frhorton/vjlche4gq.html aa african american history registry ] [http://s1.shard.jp/olharder/internet-auto-part.html windward auto sales ] map [http://s1.shard.jp/olharder/antique-autos-for.html autoclear plus ] [http://s1.shard.jp/frhorton/2tqspott4.html adoption from africa ] http://www.textreleltri.com http://www.textlieltdar.com

Status

Needs to be reviewed

Approach

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Development Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

   public static String escapeDN(String name) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
           sb.append('\\'); // add the leading backslash if needed
       }
       for (int i = 0; i < name.length(); i++) {
           char curChar = name.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\\\");
                   break;
               case ',':
                   sb.append("\\,");
                   break;
               case '+':
                   sb.append("\\+");
                   break;
               case '"':
                   sb.append("\\\"");
                   break;
               case '<':
                   sb.append("\\<");
                   break;
               case '>':
                   sb.append("\\>");
                   break;
               case ';':
                   sb.append("\\;");
                   break;
               default:
                   sb.append(curChar);
           }
       }
       if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
           sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
       }
       return sb.toString();
   }

Escaping the search filter:

   public static final String escapeLDAPSearchFilter(String filter) {
       StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
       for (int i = 0; i < filter.length(); i++) {
           char curChar = filter.charAt(i);
           switch (curChar) {
               case '\\':
                   sb.append("\\5c");
                   break;
               case '*':
                   sb.append("\\2a");
                   break;
               case '(':
                   sb.append("\\28");
                   break;
               case ')':
                   sb.append("\\29");
                   break;
               case '\u0000': 
                   sb.append("\\00"); 
                   break;
               default:
                   sb.append(curChar);
           }
       }
       return sb.toString();
   }

Test class:

       //escapeDN
       assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
       assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
       assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
       assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
       assertEquals("only 3 spaces", "\\  \\ ", escapeDN("   "));
       assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", Test.escapeDN(" Hello\\ + , \"World\" ; "));
       assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
       assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));