ID: java-security/ldap-injection
Language: Java
Severity: Error
Category: Security
CWE: 90
Description
This rule helps to prevent security vulnerabilities that may arise when user-supplied data is used in the construction of an LDAP (Lightweight Directory Access Protocol) query without proper sanitization or validation. LDAP Injection is an attack technique used to exploit applications that construct LDAP statements without proper input or output sanitizing. This can lead to the execution of arbitrary LDAP queries, potentially revealing sensitive information stored in the LDAP structure.
In the provided non-compliant code, the issue arises from the use of the user-provided param
in the LDAP filter without sanitizing or validating it (String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";
). This could allow an attacker to inject malicious LDAP queries.
To avoid LDAP injections, user inputs should never be directly used in the formation of an LDAP query. Instead, they should be properly sanitized or validated before use. This can be achieved using prepared statements, parameterized queries, or input validation techniques.
For instance, the non-compliant code can be modified to use parameterized filters. Instead of concatenating the user input directly into the filter string, placeholders can be used (such as (uid={0})
). The user input can then be supplied as a separate parameter which will be automatically escaped by the LDAP library, mitigating the risk of LDAP injection. You can also apply a whitelist validation on the user inputs to further ensure the security of the application.
Non-Compliant Code Examples
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/
package org.owasp.benchmark.testcode;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@WebServlet(value = "/ldapi-00/BenchmarkTest00012")
public class BenchmarkTest00012 extends HttpServlet {
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doPost(request, response);
}
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// some code
response.setContentType("text/html;charset=UTF-8");
String param = "";
java.util.Enumeration<String> headers = request.getHeaders("BenchmarkTest00012");
if (headers != null && headers.hasMoreElements()) {
param = headers.nextElement(); // just grab first element
}
// URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters().
param = java.net.URLDecoder.decode(param, "UTF-8");
org.owasp.benchmark.helpers.LDAPManager ads = new org.owasp.benchmark.helpers.LDAPManager();
try {
response.setContentType("text/html;charset=UTF-8");
String base = "ou=users,ou=system";
javax.naming.directory.SearchControls sc = new javax.naming.directory.SearchControls();
sc.setSearchScope(javax.naming.directory.SearchControls.SUBTREE_SCOPE);
String filter = "(&(objectclass=person))(|(uid=" + param + ")(street={0}))";
Object[] filters = new Object[] {"The streetz 4 Ms bar"};
javax.naming.directory.DirContext ctx = ads.getDirContext();
javax.naming.directory.InitialDirContext idc =
(javax.naming.directory.InitialDirContext) ctx;
boolean found = false;
javax.naming.NamingEnumeration<javax.naming.directory.SearchResult> results =
idc.search(base, filter, filters, sc);
while (results.hasMore()) {
javax.naming.directory.SearchResult sr =
(javax.naming.directory.SearchResult) results.next();
javax.naming.directory.Attributes attrs = sr.getAttributes();
javax.naming.directory.Attribute attr = attrs.get("uid");
javax.naming.directory.Attribute attr2 = attrs.get("street");
if (attr != null) {
response.getWriter()
.println(
"LDAP query results:<br>"
+ "Record found with name "
+ attr.get()
+ "<br>"
+ "Address: "
+ attr2.get()
+ "<br>");
// System.out.println("record found " + attr.get());
found = true;
}
}
if (!found) {
response.getWriter()
.println(
"LDAP query results: nothing found for query: "
+ org.owasp.esapi.ESAPI.encoder().encodeForHTML(filter));
}
} catch (javax.naming.NamingException e) {
throw new ServletException(e);
} finally {
try {
ads.closeDirContext();
} catch (Exception e) {
throw new ServletException(e);
}
}
}
}