Java Reference
In-Depth Information
Compliant Solution
This compliant solution uses a whitelist to sanitize user input so that the
filter
string
contains only valid characters. In this code,
userSN
may contain only letters and spaces,
whereas a password may contain only alphanumeric characters.
// String userSN = "Sherlock Holmes"; // Valid
// String userPassword = "secret2";
// Valid
// ... beginning of LDAPInjection.searchRecord() ...
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String base = "dc=example,dc=com";
if (!userSN.matches("[\\w\\s]*") ||
!userPassword.matches("[\\w]*")) {
throw new IllegalArgumentException("Invalid input");
}
String filter = "(&(sn = " + userSN + ")(userPassword=" +
userPassword + "))";
// ... remainder of LDAPInjection.searchRecord() ...
When a database field such as a password must include special characters, it is critical
to ensure that the authentic data is stored in sanitized form in the database and also that
any user input is normalized before the validation or comparison takes place. Using char-
acters that have special meanings in JNDI and LDAP in the absence of a comprehens-
ive normalization and whitelisting-based routine is discouraged. Special characters must
be transformed to sanitized, safe values before they are added to the whitelist expression
against which input will be validated. Likewise, normalization of user input should occur
before the validation step.
Applicability
Failure to sanitize untrusted input can result in information disclosure and privilege escal-
ation.
Bibliography
[OWASP 2013]
Preventing LDAP Injection in Java
