Avoid LDAP injection vulnerabilities ( CWE-90 )

CRITICAL

Rule Definition
In web based applications, the validation of all user input is critical to avoid major security problems that would come from the Injection flaws. To avoid the creation of Injection flaws, the Open Web Application Security Project (OWASP) recommends the validation of all user input : "Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Reject invalid input rather than attempting to sanitize potentially hostile data. Do not forget that error messages might also include invalid data" The Common Weakness Enumeration defines Improper Input Validation ( CWE-20 ) as follows : "When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution." This rule ensures that the appropriate input validation is coded within the same method that called the user input call, making security checking easier for all team members.

Remediation
Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."

Violation Code Sample

context = new InitialDirContext(env); String searchFilter = "StreetAddress=" + address; NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);

Fixed Code Sample

context = new InitialDirContext(env); //The code below constructs an LDAP query using user input address data: String searchFilter = "StreetAddress=" + address; // Include validate code for searchFilter NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);

Reference

CWE-90 : Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') http://cwe.mitre.org/data/definitions/90.html Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007

Related Technologies
.Net JEE

Health Factor

Transferability

Technical Criterion
CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

100.00%

Total Violations

4

Total Opportunities

168,828

Average Violations / App.

0.02

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

99.99%

Financial Services

99.99%

IT & Business Consulting

99.98%

Want more stats? Register now!