Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Preventing LDAP injection

I am working on my first desktop app that queries LDAP. I'm working in C under unix and using opends, and I'm new to LDAP. After woking a while on that I noticed that the user could be able to alter the LDAP query by injecting malicious code.
I'd like to know which sanitizing techniques are known, not only for C/unix development but in more general terms, i.e., web development etc.
I thought that escaping equals and semicolons would be enough, but not sure.

Here is a little piece of code so I can make clearer the question:

 String ldapSearchQuery = "(cn=" + $userName + ")";
 System.out.println(ldapSearchQuery); 

Obviously I do need to sanitize $userName, as stated in this OWASP ARTICLE

like image 812
mati Avatar asked Jun 12 '10 13:06

mati


People also ask

What type of defenses mitigate LDAP injection?

Just like other injection attack vulnerabilities, the primary defense against LDAP injection is proper input validation. Unfortunately, there are no prepared statements interfaces for LDAP like those used in SQL. Therefore, the most effective solution is a strong validation of untrusted input.

What is LDAP injection?

LDAP injection is a vulnerability in which queries are constructed from untrusted input without prior validation or sanitization. LDAP uses queries constructed from predicates that involve the use of special characters (e.g., brackets, asterisks, ampersands, or quotes).

Can LDAP be exploited?

Using LDAP injection, an attacker can enter the directory to gain access to unauthorized information or modify LDAP statements and content inside the LDAP tree. They can also exploit web applications that create LDAP statements based on user input.

What is blind LDAP injection?

Blind LDAP Injection techniques can be used to obtain sensitive information from the LDAP. directory services by taking advantage of the AND operator at the beginning of the LDAP. search filter built into the web application.


2 Answers

OWASP is a good security guide that I use a lot, and has example code (in Java, but you should be able to translate): http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java

Also, here's an Active Directory specific reference: http://www.rlmueller.net/CharactersEscaped.htm

like image 154
Trueblood Avatar answered Oct 13 '22 00:10

Trueblood


You got your answer in the question comment, already. RFC 2254 has it.

Here's what I use in PHP. Something equivalent in your language should suffice.

/**
 * Sanitizes ldap search strings.
 * See rfc2254
 * @link http://www.faqs.org/rfcs/rfc2254.html
 * @since 1.5.1 and 1.4.5
 * @param string $string
 * @return string sanitized string
 * @author Squirrelmail Team
 */
function ldapspecialchars($string) {
    $sanitized=array('\\' => '\5c',
                     '*' => '\2a',
                     '(' => '\28',
                     ')' => '\29',
                     "\x00" => '\00');

    return str_replace(array_keys($sanitized),array_values($sanitized),$string);
}
like image 21
Alexandros Vellis Avatar answered Oct 13 '22 00:10

Alexandros Vellis