Java Reference
In-Depth Information
Ensure Data Security
9. Prevent LDAP injection
The Lightweight Directory Access Protocol (LDAP) allows an application to remotely
perform operations such as searching and modifying records in directories. LDAP injec-
tion results from inadequate input sanitization and validation, and allows malicious users
to glean restricted information using the directory service.
A whitelist can be used to restrict input to a list of valid characters. Characters and
character sequences that must be excluded from whitelists—including Java Naming and
Directory Interface (JNDI) metacharacters and LDAP special characters—are listed in
Table 1-1.
Characters and sequences to exclude from whitelists
LDAP Injection Example
Consider an LDAP Data Interchange Format (LDIF) file that contains records in the fol-
lowing format:
dn: dc=example,dc=com
objectclass: dcobject
objectClass: organization
o: Some Name
