I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code.
I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc.
I thought that escaping equals and semicolons would be enough, but not sure.
Here is a little piece of code so I can make clearer the question:
String ldapSearchQuery = "(cn=" + $userName + ")";
System.out.println(ldapSearchQuery);
Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE
Just like other injection attack vulnerabilities, the primary defense against LDAP injection is proper input validation. Unfortunately, there are no prepared statements interfaces for LDAP like those used in SQL. Therefore, the most effective solution is a strong validation of untrusted input.
LDAP injection is a vulnerability in which queries are constructed from untrusted input without prior validation or sanitization. LDAP uses queries constructed from predicates that involve the use of special characters (e.g., brackets, asterisks, ampersands, or quotes).
Using LDAP injection, an attacker can enter the directory to gain access to unauthorized information or modify LDAP statements and content inside the LDAP tree. They can also exploit web applications that create LDAP statements based on user input.
Blind LDAP Injection techniques can be used to obtain sensitive information from the LDAP. directory services by taking advantage of the AND operator at the beginning of the LDAP. search filter built into the web application.
OWASP is a good security guide that I use a lot, and has example code (in Java, but you should be able to translate): http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java
Also, here's an Active Directory specific reference: http://www.rlmueller.net/CharactersEscaped.htm
You got your answer in the question comment, already. RFC 2254 has it.
Here's what I use in PHP. Something equivalent in your language should suffice.
/**
* Sanitizes ldap search strings.
* See rfc2254
* @link http://www.faqs.org/rfcs/rfc2254.html
* @since 1.5.1 and 1.4.5
* @param string $string
* @return string sanitized string
* @author Squirrelmail Team
*/
function ldapspecialchars($string) {
$sanitized=array('\\' => '\5c',
'*' => '\2a',
'(' => '\28',
')' => '\29',
"\x00" => '\00');
return str_replace(array_keys($sanitized),array_values($sanitized),$string);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With