Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Character

Name

' and "

Single and double quote

/ and \

Forward-slash and back-slash

\ \

Double slashes

space

Space character at beginning or end of string

#

Hash character at the beginning of the string

< and >

Angle brackets

, and ;

Comma and semi-colon

+ and *

Addition and multiplication operators

( and )

Round braces

\u0000

Unicode NULL character

Noncompliant Code Example

For the purpose of this example, consider an LDIF file that contains records in the following format:

...

Code Block
bgColor#FFCCCC
// String userSN = "S*"; // Invalid
// String userPassword = "*"; // Invalid
public class LDAPInjection {        
  private void searchRecord(String userSN, String userPassword) throws NamingException {        
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    String name = "dc=example,dc=com";
    try {
      Context ctx = new InitialContext(env);		    		    
      DirContext dctx = new InitialDirContext(env);
		    
      SearchControls sc = new SearchControls();
      String[] attributeFilter = {"cn", "mail"};
      sc.setReturningAttributes(attributeFilter);
      sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
      String base = "dc=example,dc=com";

      // The following resolves to (&(sn=S*)(userPassword=*))      
      String filter = "(&(sn=" + userSN + ")(userPassword=" + userPassword + "))"; 

      NamingEnumeration results = dctx.search(base, filter, sc);
      while (results.hasMore()) {
        SearchResult sr = (SearchResult) results.next();
        Attributes attrs = sr.getAttributes();
        Attribute attr = attrs.get("cn");
        System.out.println(attr.get());
        attr = attrs.get("mail");
        System.out.println(attr.get());
      }
      dctx.close();
    } catch (NamingException e) {
      // Handle
    }
  }
}

Compliant Solution

This compliant solution uses a white-list to validate user input so that only valid characters appear in the filter string. For example, userSN may contain only letters and spaces whereas a password may also contain alphanumeric characters.

...

If it is desired to include special characters in a database field such as a password, it is critical to ensure that the authentic data is stored in a sanitized form in the database and any user input is escaped and transformed into the equivalent form, before the validation or comparison takes place. The use of characters that have special meanings in JNDI and LDAP is strongly discouraged unless a comprehensive white-listing based routine is employed to encode and escape the characters. Refer to the guideline IDS04-J. Properly encode or escape output for examples on output encoding and escaping. The special character must be transformed to a sanitized safe value before adding it to the white-list expression against which input is required to be validated. Likewise, sanitization of user input (escaping and encoding) should occur before the validation step.

Risk Assessment

Failing to sanitize untrusted input can result in information disclosure and privilege escalation.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

IDS16- J

high

likely

medium

P18

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] 
\[[OWASP 08|AA. Java References#OWASP 08]\] [Preventing LDAP Injection in Java|http://www.owasp.org/index.php/Preventing_LDAP_Injection_in_Java]

...