TechQA.

LDAP injection issue in checkmarx:

2.8k views Asked by At

I am trying to develop some app and scanned my code using checkmarx and got issue under - LDAP injection in the below method.

Update(request.getparameter("userID"))

we are calling this method and using request.getparameter() to get the corresponding value, checkmarx is showing issue at request.getparameter("userID"),

Issue Description is "This element’s value then flows through the code without being properly sanitized or validated, and is eventually used in an LDAP query in method"

so following is one of the ways I tried

String userID = request.getparameter("userID");
if(userID == null && userID.isEmpty){
    throw new ServletException(); 
}
else
    Update(userID);

with the above changes also the issue is not resolved.

Any idea to resolve this issue ?

checkmarx
Original Q&A
1

There are 1 answers

4
yaloner On

Seems like Checkmarx is correct in flagging your code as vulnerable to LDAP Injection.

What is LDAP Injection?

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

Quote taken from CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

How to mitigate?

Protection against LDAP injections requires accurate coding and secure server configuration. Front-end applications should perform input validation and restrict all potentially malicious symbols. Developers can use regular expressions to validate untrusted input. The following regular expression can limit the scope of potential attacks by allowing only numbers and letters:

/[^0-9a-z]/i

Perform filtration of outgoing data as additional level of security. Do not output information that is not related to application’s functionality. Implement correct access control on data within the LDAP directory, set appropriate permissions on user objects and disable anonymous access to directory objects.

Quote and example taken from LDAP Injection Vulnerability | CWE-90 Weakness | Exploitation and Remediation

Related Questions in CHECKMARX

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions