Failure to Sanitize Data into LDAP Queries ('LDAP Injection')
Weakness ID: 90 (Weakness Base)Status: Draft
+ Description

Description Summary

The software does not sufficiently sanitize special elements that are used in LDAP queries or responses, allowing attackers to modify the syntax, contents, or commands of the LDAP query before it is executed.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Applicable Platforms

Languages

All

Technology Classes

Database-Server

+ Demonstrative Examples

Example 1

In the code excerpt below, user input data (address) isn't properly sanitized before it's used to construct an LDAP query.

(Bad Code)
Example Language: Java 
context = new InitialDirContext(env);
String searchFilter = "StreetAddress=" + address;
NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
+ Potential Mitigations

Assume all input is malicious. Use an appropriate combination of black lists and white lists to filter or quote LDAP syntax from user-controlled input.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class77Improper Sanitization of Special Elements used in a Command ('Command Injection')
Development Concepts (primary)699
Research Concepts (primary)1000
ChildOfCategoryCategory713OWASP Top Ten 2007 Category A2 - Injection Flaws
Weaknesses in OWASP Top Ten (2007) (primary)629
+ Relationship Notes

Factors: resultant to special character mismanagement, MAID, or blacklist/whitelist problems. Can be primary to authentication and verification errors.

+ Research Gaps

Under-reported. This is likely found very frequently by third party code auditors, but there are very few publicly reported examples.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERLDAP injection
OWASP Top Ten 2007A2CWE More SpecificInjection Flaws
WASC29LDAP Injection
+ References
SPI Dynamics. "Web Applications and LDAP Injection".
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Sean EidemillerCigitalExternal
added/updated demonstrative examples
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings
2009-05-27CWE Content TeamMITREInternal
updated Name
2009-10-29CWE Content TeamMITREInternal
updated Other Notes, Relationship Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11LDAP Injection
2009-05-27Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection')