Failure to Sanitize Data into LDAP Queries ('LDAP Injection') |
Weakness ID: 90 (Weakness Base) | Status: Draft |
Description Summary
The software does not sufficiently sanitize special elements that are used in LDAP queries or responses, allowing attackers to modify the syntax, contents, or commands of the LDAP query before it is executed.
Example 1
In the code excerpt below, user input data (address) isn't properly sanitized before it's used to construct an LDAP query.
(Bad Code)
Example Language: Java
context = new InitialDirContext(env);
String searchFilter = "StreetAddress=" + address;
NamingEnumeration answer = context.search(searchBase, searchFilter, searchCtls);
Assume all input is malicious. Use an appropriate combination of black lists and white lists to filter or quote LDAP syntax from user-controlled input. |
Nature | Type | ID | Name | View(s) this relationship pertains to |
---|---|---|---|---|
ChildOf | Weakness Class | 77 | Improper Sanitization of Special Elements used in a Command ('Command Injection') | Development Concepts (primary)699 Research Concepts (primary)1000 |
ChildOf | Category | 713 | OWASP Top Ten 2007 Category A2 - Injection Flaws | Weaknesses in OWASP Top Ten (2007) (primary)629 |
Factors: resultant to special character mismanagement, MAID, or blacklist/whitelist problems. Can be primary to authentication and verification errors. |
Under-reported. This is likely found very frequently by third party code auditors, but there are very few publicly reported examples. |
Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
---|---|---|---|
PLOVER | LDAP injection | ||
OWASP Top Ten 2007 | A2 | CWE More Specific | Injection Flaws |
WASC | 29 | LDAP Injection |
Submissions | ||||
---|---|---|---|---|
Submission Date | Submitter | Organization | Source | |
PLOVER | Externally Mined | |||
Modifications | ||||
Modification Date | Modifier | Organization | Source | |
2008-07-01 | Sean Eidemiller | Cigital | External | |
added/updated demonstrative examples | ||||
2008-07-01 | Eric Dalci | Cigital | External | |
updated Time of Introduction | ||||
2008-09-08 | CWE Content Team | MITRE | Internal | |
updated Applicable Platforms, Relationships, Other Notes, Taxonomy Mappings | ||||
2009-05-27 | CWE Content Team | MITRE | Internal | |
updated Name | ||||
2009-10-29 | CWE Content Team | MITRE | Internal | |
updated Other Notes, Relationship Notes | ||||
Previous Entry Names | ||||
Change Date | Previous Entry Name | |||
2008-04-11 | LDAP Injection | |||
2009-05-27 | Failure to Sanitize Data into LDAP Queries (aka 'LDAP Injection') | |||