Avoid second order LDAP injection (Python)

CRITICAL

Rule Definition
An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior. LDAP injection (second order) - The application stores data in a database. At a later time, the data is subsequently read back into the application and included in LDAP manipulation methods without sanitization.

Remediation
Use authorized sanitization methods of the library. Input validation. Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a white-list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Violation Code Sample

... db = mysql.connector.connect(...) cursor = db.cursor() user_name = input("LDAP User name?") tainted_user_ldap = cursor.execute( "select ldap_id from users where name=%s", user_name).fetchone() # content read from the database is not protected against # special characters in LDAP queries search_filter = "(&(objectclass=person)(uid=%s))" % tainted_user_ldap search_result = ldap_connection.search("ou=People,dc=x,dc=y", search_filter) # violation is_member = search_result is not None if is_member: ...

Fixed Code Sample

... from ldap3.utils import conv db = mysql.connector.connect(...) cursor = db.cursor() user_name = input("LDAP User name?") tainted_user_ldap = cursor.execute( "select ldap_id from users where name=%s", user_name).fetchone() protected_user_ldap = conv.escape_filter_chars(tainted_user_ldap) # content is now neutralized search_filter = "(&(objectclass=person)(uid=%s))" % protected_user_ldap search_result = ldap_connection.search("ou=People,dc=x,dc=y", search_filter) is_member = search_result is not None if is_member: ...

Reference

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') https://cwe.mitre.org/data/definitions/90.html Open Web Application Security Project (OWASP) OWASP Top Ten 2017 Category A1 - Injection: https://cwe.mitre.org/data/definitions/1027.html OWASP Top Ten 2021 Category A03:2021 - Injection: https://cwe.mitre.org/data/definitions/1347.html and https://owasp.org/Top10/A03_2021-Injection/ OWASP Cheat Sheet Series - LDAP Injection Prevention Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html

Related Technologies

Health Factor

Security

Technical Criterion
PCI-Requirement-6.5.1 - Injection flaws, particularly SQL injection

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Want more stats? Register now!