ID: java-security/ldap-injection

Language: Java

Severity: Error

Category: Security


This rule helps to prevent security vulnerabilities that may arise when user-supplied data is used in the construction of an LDAP (Lightweight Directory Access Protocol) query without proper sanitization or validation. LDAP Injection is an attack technique used to exploit applications that construct LDAP statements without proper input or output sanitizing. This can lead to the execution of arbitrary LDAP queries, potentially revealing sensitive information stored in the LDAP structure.

In the provided non-compliant code, the issue arises from the use of the user-provided param in the LDAP filter without sanitizing or validating it (String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";). This could allow an attacker to inject malicious LDAP queries.

To avoid LDAP injections, user inputs should never be directly used in the formation of an LDAP query. Instead, they should be properly sanitized or validated before use. This can be achieved using prepared statements, parameterized queries, or input validation techniques.

For instance, the non-compliant code can be modified to use parameterized filters. Instead of concatenating the user input directly into the filter string, placeholders can be used (such as (uid={0})). The user input can then be supplied as a separate parameter which will be automatically escaped by the LDAP library, mitigating the risk of LDAP injection. You can also apply a whitelist validation on the user inputs to further ensure the security of the application.

Non-Compliant Code Examples

 * OWASP Benchmark v1.2
 * <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
 * details, please see <a
 * href=""></a>.
 * <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
 * of the GNU General Public License as published by the Free Software Foundation, version 2.
 * <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 * PURPOSE. See the GNU General Public License for more details.
 * @author Dave Wichers
 * @created 2015
package org.owasp.benchmark.testcode;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@WebServlet(value = "/ldapi-00/BenchmarkTest00012")
public class BenchmarkTest00012 extends HttpServlet {

    private static final long serialVersionUID = 1L;

    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        doPost(request, response);

    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        // some code

        String param = "";
        java.util.Enumeration<String> headers = request.getHeaders("BenchmarkTest00012");

        if (headers != null && headers.hasMoreElements()) {
            param = headers.nextElement(); // just grab first element

        // URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters().
        param =, "UTF-8");

        org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager();
        try {
            String base = "ou=users,ou=system";
   sc = new;
            String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";
            Object[] filters = new Object[] {"The streetz 4 Ms bar"};

   ctx = ads.getDirContext();
   idc =
                    ( ctx;
            boolean found = false;
            javax.naming.NamingEnumeration<> results =
          , filter, filters, sc);
            while (results.hasMore()) {
       sr =
       attrs = sr.getAttributes();

       attr = attrs.get("uid");
       attr2 = attrs.get("street");
                if (attr != null) {
                                    "LDAP query results:<br>"
                                            + "Record found with name "
                                            + attr.get()
                                            + "<br>"
                                            + "Address: "
                                            + attr2.get()
                                            + "<br>");
                    // System.out.println("record found " + attr.get());
                    found = true;
            if (!found) {
                                "LDAP query results: nothing found for query: "
                                        + org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));
        } catch (javax.naming.NamingException e) {
            throw new ServletException(e);
        } finally {
            try {
            } catch (Exception e) {
                throw new ServletException(e);
} jetbrains

Seamless integrations. Try Datadog Code Analysis