Is this a legitimate protection against LDAP Injection?

StackOverflow https://stackoverflow.com/questions/13401728

Pergunta

Our software takes username from user input and puts it into a ldap-request like this:

(& () (sAMAccountName=userinput))

it looks very fishy to me, but so far i wasn't able to break it with exploiting the missing sanitation. I always get "missing equals" as soon as I try any special characters. could it be that com.sun.jndi.ldap.Filter.encodeFilter is taking care of that?

Foi útil?

Solução

One thing to watch out for with LDAP injection is the wildcard character ('*') at the end of the user input. It's a perfectly valid character for search queries, but if you're expecting a unique username then you should definitely sanitize this before building the filter and passing it on. Regular expressions are typically used for this.

The code for Java's Filter class can be found here:

http://www.docjar.com/html/api/com/sun/jndi/ldap/Filter.java.html

Looks like the encodeSimpleFilter function is what throws the Missing 'equals' exception.

If you want to check the final LDAP filter that's passed to AD you can easily use WireShark for unencrypted connections or view the query using info from this serverfault thread:

https://serverfault.com/questions/280042/how-do-you-trace-debug-ldap-connections-against-active-directory

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top