Avoid second order LDAP injection

CRITICAL

Rule Definition
An attacker could include input that changes the LDAP query which allows unintended commands or code to be executed, allows sensitive data to be read or modified or causes other unintended behavior. LDAP injection (second order) - The application stores data in a database. At a later time, the data is subsequently read back into the application and included in LDAP manipulation methods without sanitization.

Remediation
Input validation. Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a white-list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Violation Code Sample

... resultSet = preparedStatement.executeQuery(); address = resultSet.getString(1); ... String searchFilter = "StreetAddress=" + address; NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);

Fixed Code Sample

... resultSet = preparedStatement.executeQuery(); address = resultSet.getString(1); //insert a call to a strong validation code for the input received "address" cleanedAddress = mySanitization(address); ... String searchFilter = "StreetAddress=" + cleanedAddress; NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);

Reference

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') https://cwe.mitre.org/data/definitions/90.html Open Web Application Security Project (OWASP) OWASP Top Ten 2017 Category A1 - Injection: https://cwe.mitre.org/data/definitions/1027.html OWASP Top Ten 2021 Category A03:2021 - Injection: https://cwe.mitre.org/data/definitions/1347.html and https://owasp.org/Top10/A03_2021-Injection/

Related Technologies

Health Factor

Security

Technical Criterion
CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Don't Know

100.00%

Financial Services

100.00%

Government

100.00%

Want more stats? Register now!